secret-keeper

Secret Keeper is a tool that helps users to manage and review changes to secrets in encrypted repositories. It does this by filtering files with no secret changes from the git worktree. This makes it easier to review changes to secrets and to commit only updated secrets.

Features

Filters files with no secret changes from the git worktree
Supports Ansible Vault and Sops encrypted repositories
Easy to use and configure
Generates a report of the filtered changes

Benefits

Secret Keeper offers a number of benefits, including:

Makes it easier to review changes to secrets
Improves the security of secrets by reducing the amount of time that they are exposed in cleartext in the git worktree
Reduces the number of unnecessary diffs created in the repo

Demo

Installation

  go install github.com/thapabishwa/secret-keeper@latest

Pre-requisite

git
desired vault tools like ansible-vault, sops etc

Configuration

Inside your repository, create a new config.secret-keeper.yaml file and modify it as needed. The following is an example configuration file for Ansible Vault and Sops.

Ansible Vault

yaml secret_files_patterns: # The list of file patterns to treat as secrets in the repository across all folders - "*.tf" - "*.password" vault_tool: "ansible-vault" # The args to encrypt a file in-place using the vault tool encrypt_args: - "encrypt" - "--vault-password-file" - "~/.vault-password-file" # The args to decrypt a file in-place using the vault tool decrypt_args: - "decrypt" - "--vault-password-file" - "~/.vault-password-file" # The args to view secret in the file using the vault tool view_args: - "view" - "--vault-password-file" - "~/.vault-password-file"

Mozilla Sops

yaml
  secret_files_patterns:
    # The list of file patterns to treat as secrets in the repository across all folders
    - "*.tf"
    - "*.password"
  vault_tool: "sops"
  # The args to encrypt a file in-place using the vault tool
  encrypt_args:
    - "--encrypt"
    - "--in-place"
    - "--pgp"
  # The args to decrypt a file in-place using the vault tool
  decrypt_args:
    - "--decrypt"
    - "--in-place"
    - "--pgp"
  # The args to view secret in the file using the vault tool
  view_args:
    - "--decrypt"
    - "--pgp"

This configuration file controls the behavior of the tool, allowing you to specify which files should be treated as secrets, enable debug mode, and set the encryption and decryption parameters.

After creating the configuration file, initialize the repository with the tool
```
secret-keeper init
```

Usage

Start using the tool

secret-keeper encrypt # encrypts all the secrets, if not already encrypted. also cleans the secrets from the git worktree
secret-keeper clean # cleans the secrets from the git worktree
secret-keeper decrypt # decrypts all the secrets, if not already decrypted.

Improvements

Enhance the performance by ~3x while decrypting, cleaning, and encrypting secrets
Git lock causes the restore process to fail. Added a better mechanism to handle this
Ensure that the new/untracked files are not discarded on the clean command
Ensure that adding a new file to the repo does not cause the clean command to fail
Improve the onboarding process

Future Improvements

Add Support for more secret management tools in the same repo
Add Support for different types of repositories.
Add the ability to ignore certain files or directories.
Add the ability to generate a report of the filtered changes.
Add support for continuous integration (CI) and continuous delivery (CD) pipelines

Contributors ✨

Thanks goes to these wonderful people:

_{Bishwa Thapa}
💻 📖 💡 🤔 🚧 📦 🔬

_{Kripesh Dhakal}
🐛 💻 📖 💡 🤔 📦 👀

This project follows the all-contributors specification. Contributions of any kind welcome!

License

Secret Keeper is licensed under the MIT License.