Miroirs/secret
1
0
Fork 0
mirror of https://github.com/angt/secret synced 2025-01-31 19:57:34 +01:00
Code Issues Projects Releases Packages Wiki Activity
secret/README.md
Steven LE ROUX 875180f987
Some checks failed
Build / build (macOS-latest) (push) Has been cancelled
Build / build (ubuntu-latest) (push) Has been cancelled
Add examples for multiline support
2025-01-06 14:36:39 +01:00

219 lines
5.9 KiB
Markdown
Raw Blame History

# secret
A simple and tiny tool that will help you keep your little secrets.
## Features
`secret` is the simplest secret store you can think of.
But it does have some interesting features:
- Requires only one file `~/.secret` that you can share publicly without fear.
- No configuration. No directory. Get back your file and you're done.
- Secret names (usually hostname, mail, login, etc.) are also encrypted.
- A secret agent that only trusts subprocesses. Not all the processes of the same user!
- Secret names completion is available after calling the secret agent.
- Supports unstored secrets. Derived from some simple keys and a passphrase.
- Supports multiple passphrases. A confirmation is requested for each new passphrase.
- Supports TOTP natively. The name must contain the word `totp`.
- Depends only on the [libhydrogen](https://libhydrogen.org/) library.
- Small, simple and non obfuscated C code. Well, I hope so :)
## Security
The main goal is to have `secret` working on all architectures and to make it very simple to audit.
Luckily, permutation-based cryptography has arrived and makes it possible to achieve this goal with very little code.
In 2020, using a bloated library full of CVEs will not have been reasonable considering the major advances in this field.
Only one cryptographic building block is used, the [Gimli](https://gimli.cr.yp.to/gimli-20170627.pdf) permutation.
All cryptographic operations are derived from this permutation and implemented in the [libhydrogen](https://libhydrogen.org/) library.
## Install
### Homebrew
You can simply install `secret` from my [Homebrew Tap](https://github.com/angt/homebrew-tap):
$ brew install angt/tap/secret
### Build from source
This should work on a wide variety of architectures and POSIX systems.
It was successfully tested on Linux, OpenBSD, FreeBSD and MacOS.
Clone the repository recursively:
$ git clone https://github.com/angt/secret --recursive
$ cd secret
Then, run as `root`:
# make install
As usual, you can customize the destination with `DESTDIR` and `prefix`.
Typically if you want to change the default `/usr/local` prefix:
# make prefix=/usr install
### Tab completion
Tab completion works with `bash`, `zsh` and `yash`.
Unfortunately, it doesn't work out of the box, you have to setup it manually.
Luckily, it's super easy!
Download the file corresponding to your shell:
- [argz.bash](https://raw.githubusercontent.com/angt/argz/master/comp/argz.bash)
- [argz.yash](https://raw.githubusercontent.com/angt/argz/master/comp/argz.yash)
- [argz.zsh](https://raw.githubusercontent.com/angt/argz/master/comp/argz.zsh)
Then, for `bash`, you can add these lines in your `.bashrc`:
. YOUR_PATH_TO/argz.bash
complete -F _argz secret
For `yash`, in your `.yashrc`:
. YOUR_PATH_TO/argz.yash
function completion/secret {
command -f completion//reexecute argz
}
And finally, for `zsh`, in your `.zshrc`:
. YOUR_PATH_TO/argz.zsh
compdef _argz secret
Completion for secrets is only available in a trusted shell. See below.
## Commands
Available commands:
init Initialize secret for the current user
list List all secrets for a given passphrase
show Print a secret
new Generate a new random secret
set Set a new secret
renew Regenerate an existing secret
update Update an existing secret
pass Print a deterministic secret
agent Run a process in a trusted zone
version Show version
All secrets are encrypted in the file `~/.secret`.
You can use a different file with the `SECRET_STORE` environment variable:
$ env SECRET_STORE=<FILE> secret ...
## Examples
Initialize secret for the current user:
$ secret init
Add a new randomly generated secret:
$ secret new test
Passphrase:
No secrets stored with this passphrase.
Please, retype it to confirm:
/xK;{%@d~hPh.L'5-Sn{sBQd5
Show the secret:
$ secret show test
Passphrase:
/xK;{%@d~hPh.L'5-Sn{sBQd5
Rename a secret, press ENTER to not change it:
$ secret update test test2
Passphrase:
Secret:
$ secret show test2
Passphrase:
/xK;{%@d~hPh.L'5-Sn{sBQd5
Pipe a secret:
$ secret show test2 | tr -cd [a-z] | secret update test2
Passphrase:
Passphrase:
$ secret show test2
Passphrase:
xdhhnsd
Add a TOTP token:
$ echo -n JBSWY3DPEHPK3PXP | base32 -d | secret set test/totp
Passphrase:
$ secret show test/totp
Passphrase:
$ 123456
Add a base32 encoded TOTP token:
$ echo JBSWY3DPEHPK3PXP | secret set test/totp32
Passphrase:
$ secret show test/totp32
Passphrase:
$ 123456
Derive a deterministic (a.k.a. unstored) secret:
$ secret pass me@domain.com
Passphrase:
a`4$B2mJ=|"HD?b4:/y"?wOaQ
Subkeys are also supported, this allows to update your secret in a clean way:
$ secret pass me@domain.com 2020
Passphrase:
F"1j;-X]t.Pi>.xf5hG,]dUMz
Add a binary secret:
$ dd if=/dev/urandom bs=1 count=32 2>/dev/null | secret set mykey
Passphrase:
$ secret show mykey | xxd
Passphrase:
00000000: 0ee9 cdb3 de0a 3e71 b623 726d 5d7e eb23 ......>q.#rm]~.#
00000010: 5b43 a458 3fb7 3b96 ea9b 6e47 d302 cae7 [C.X?.;...nG....
Add a multiline secret:
$ secret set test/multiline << EOF
first secret line
second secret line
EOF
$ secret show test/multiline
first secret line
second secret line
Add a reasonable file as secret:
$ cat /tmp/secret_file | secret set test/secret
Start a trusted zone:
$ secret agent
Passphrase:
Now, the passphrase is not requested and completion fully works!
If you don't use `bash` but still want completion,
run `secret agent <yourawesomeshell>` or (much better) send a PR to add support for your shiny shell :)
---
For feature requests and bug reports,
please create an [issue](https://github.com/angt/secret/issues).
Reference in a new issue View git blame Copy permalink