Secret Keeper is a tool that helps users to manage and review changes to secrets in encrypted repositories. It does this by filtering files with no secret changes from the git worktree. This makes it easier to review changes to secrets and to commit only updated secrets.
- Filters files with no secret changes from the git worktree
- Supports Ansible Vault and Sops encrypted repositories
- Easy to use and configure
- Generates a report of the filtered changes
Secret Keeper offers a number of benefits, including:
- Makes it easier to review changes to secrets
- Improves the security of secrets by reducing the amount of time that they are exposed in cleartext in the git worktree
- Reduces the number of unnecessary diffs created in the repo
go install github.com/everesthack-incubator/secret-keeper@latest
- git
- desired vault tools like ansible-vault, sops etc
-
Inside your repository, create a new
config.secret-keeper.yaml
file and modify it as needed. The following is an example configuration file for Ansible Vault and Sops.Ansible Vault
secret_files_patterns: # The list of file patterns to treat as secrets in the repository across all folders - "*.tf" - "*.password" vault_tool: "ansible-vault" # The args to encrypt a file in-place using the vault tool encrypt_args: - "encrypt" - "--vault-password-file" - "~/.vault-password-file" # The args to decrypt a file in-place using the vault tool decrypt_args: - "decrypt" - "--vault-password-file" - "~/.vault-password-file" # The args to view secret in the file using the vault tool view_args: - "view" - "--vault-password-file" - "~/.vault-password-file"
Mozilla Sops
secret_files_patterns: # The list of file patterns to treat as secrets in the repository across all folders - "*.tf" - "*.password" vault_tool: "sops" # The args to encrypt a file in-place using the vault tool encrypt_args: - "--encrypt" - "--in-place" - "--pgp" # The args to decrypt a file in-place using the vault tool decrypt_args: - "--decrypt" - "--in-place" - "--pgp" # The args to view secret in the file using the vault tool view_args: - "--decrypt" - "--pgp"
This configuration file controls the behavior of the tool, allowing you to specify which files should be treated as secrets, enable debug mode, and set the encryption and decryption parameters.
-
After creating the configuration file, initialize the repository with the tool
secret-keeper init
- Start using the tool
secret-keeper encrypt # encrypts all the secrets, if not already encrypted. also cleans the secrets from the git worktree secret-keeper clean # cleans the secrets from the git worktree secret-keeper decrypt # decrypts all the secrets, if not already decrypted.
- Enhance the performance by ~3x while decrypting, cleaning, and encrypting secrets
- Git lock causes the restore process to fail. Added a better mechanism to handle this
- Ensure that the new/untracked files are not discarded on the clean command
- Ensure that adding a new file to the repo does not cause the clean command to fail
- Improve the onboarding process
- Add Support for more secret management tools in the same repo
- Add Support for different types of repositories.
- Add the ability to ignore certain files or directories.
- Add the ability to generate a report of the filtered changes.
- Add support for continuous integration (CI) and continuous delivery (CD) pipelines
Thanks goes to these wonderful people:
Bishwa Thapa 💻 📖 💡 🤔 🚧 📦 🔬 |
Kripesh Dhakal 🐛 💻 📖 💡 🤔 📦 👀 |
This project follows the all-contributors specification. Contributions of any kind welcome!
Secret Keeper is licensed under the MIT License.