credible is a YAML-driven solution for storing, encrypting and retrieving secrets.
age is used for encryption/decryption.
Write your configuration:
# credible.yaml
storage:
type: S3
bucket: my-secret-bucket # S3 bucket name to use
region: us-east-2 # Region of S3 bucket
secrets:
- name: "sample" # Name of the secret
encryption_keys: # SSH public keys to encrypt with
- ssh-ed25519 ...
- ssh-ed25519 ...
path: "sample" # Path/key for backing object store
exposures:
- secret_name: sample # Secret name to expose
type: file # Expose it as a file
path: ./secret.txt # Write the file to this path
- secret_name: sample
type: env # Expose it as an environment variable
name: SAMPLE_SECRET # Use this nameUpload your secret:
$ echo "hello world" | credible secret upload sample
Use it:
$ credible run-command -- sh -c 'echo $SAMPLE_SECRET; cat ./secret.txt'
hello world
hello world
$ echo $SAMPLE_SECRET; cat ./secret.txt
cat: ./secret.txt: No such file or directory
credible launches a program, provides secrets to it, and cleans them up when
the process has finished.
$ credible \
--exposure env:sample:SAMPLE_SECRET \
--exposure file:sample:./secret.txt \
-- sh -c 'echo $SAMPLE_SECRET; cat ./secret.txt'
hello world
hello world
$ echo $SAMPLE_SECRET; cat ./secret.txt
cat: ./secret.txt: No such file or directory
Secrets can also be mounted in a tempfs for system-level access (will be unloaded on reboot)
# credible --expose file:sample:/etc/secret.txt system mount
# ls -l /run/credible/
total 4
-r-------- 1 root 12 Sep 9 14:42 secret.txt
[...]
cat /run/credible/secret.txt
hello world
cat /etc/secret.txt
hello world
credible aims to be a config-first, YAML-driven tool.
If no file is provided, credible looks for a credible.yaml/credible.yml:
# credible.yaml
storage:
type: S3
bucket: my-secret-bucket # S3 bucket name to use
region: us-east-2 # Region of S3 bucket
secrets:
- name: "sample" # Name of the secret
encryption_keys: # SSH public keys to encrypt with
- ssh-ed25519 ...
- ssh-ed25519 ...
path: "sample" # Path/key for backing object store
exposures:
- secret_name: sample # Secret name to expose
type: file # Expose it as a file
path: ./secret.txt # Write the file to this path
- secret_name: sample # Secret name to expose
type: env # Expose it as an environment variable
name: SAMPLE_SECRET # Use this variable name$ credible run-command -- sh -c 'echo $SAMPLE_SECRET; cat ./secret.txt'
hello world
hello world
You can dynamically configure secrets on the command line:
$ credible \
--exposure file:sample:./super-secret.txt \
--exposure env:sample:SUPER_SECRET \
run-command sh -c 'echo $SUPER_SECRET; cat ./super-secret.txt'
hello world
hello world
Configuration is composable:
# credible.secrets.yaml
storage:
type: S3
bucket: my-secret-bucket # S3 bucket name to use
region: us-east-2 # Region of S3 bucket
secrets:
- name: "sample" # Name of the secret
encryption_keys: # SSH public keys to encrypt with
- ssh-ed25519 ...
- ssh-ed25519 ...
path: "sample" # Path/key for backing object store# credible.exposure.yaml
exposures:
- secret_name: sample
type: file
path: ./secret.txt$ credible \
--config-file ./credible.secrets.yaml \
--config-file ./credible.exposure.yaml \
--expose env:sample:TEST \
run-command -- sh -c 'cat ./secret.txt; echo $TEST'
hello world
hello world
Errors are thrown on conflicting configuration:
# credible.yaml
# ...
exposures:
- secret_name: sample
type: file
path: ./secret.txt
- secret_name: other_sample
type: file
path: ./secret.txt$ ./target/debug/credible run-command -- sh
20:30:08 [ERROR] error: bad command line arguments: duplicate secret path specified: ./secret.txt
This project has received NO security auditing, and comes with no guarantees or warranties of any kind, express or implied.
Please report any security issues/vulnerabilities to denbeigh (at) denbeigh stevens (dot) com.
No big corporate bug bounty, but I may buy you a drink if you're local.