scrt is a present-line secret supervisor for builders, sysadmins and devops. scrt objectives to provide present-line customers with a stable manner of storing and retrieving secrets and tactics, while retaining take hold of a watch on of the storage.
- Stateless present-line instrument for Linux/Windows/Darwin
- All cryptography happens within the customer, on your pc: no passwords, keys or plaintext knowledge over the wire, no key management integrated
- Key/value interface:
rating/self-discipline/unset - Configuration from present-line, configuration file or ambiance variables (no surprising defaults!)
- Extra than one backend choices:
- Local filesystem
- S3 (or S3-successfully matched object storage)
- Git repository
- Extra to attain…
Download binary free up
Download the latest finary free up to your platform from the releases page. Decompress the archive to the desired set aside. E.g.
tar xzvf scrt_1.2.3_linux_x86_64.tar.gz sudo cp scrt_1.2.3_linux_x86_64/scrt /usr/native/bin/scrt
factual (Debian/Ubuntu)
Configure the factual repository:
echo "deb https://factual.scrt.hump /" | sudo tee /etc/factual/sources.checklist.d/scrt.checklist curl "https://factual.scrt.hump/key.gpg" | sudo factual-key add -
Install the binary equipment:
sudo factual update sudo factual set up scrt
yum (RHEL/CentOS)
Configure the yum repository, in /etc/yum.repos.d/scrt.repo:
[scrt] title=scrt baseurl=https://yum.scrt.hump repo_gpgcheck=1 gpgcheck=1 enabled=1 gpgkey=https://yum.scrt.hump/key.gpg sslverify=1 metadata_expire=300
Install the binary equipment
sudo yum update sudo yum set up scrt
Homebrew (macOS)
Configure the Homebrew tap:
Install the binary equipment:
dawdle rating
Utilize dawdle rating to download and originate the latest version:
dawdle rating github.com/loderunner/scrt
scrt shall be on hand within the binaries list of your GOPATH. Add it to your route, and hump scrt.
Catch from source
Clone the repository and employ dawdle originate to originate a binary (requires dawdle>=1.16):
git clone https://github.com/loderunner/scrt.git cd scrt dawdle originate .
The built executable shall be located at scrt at the foundation of the repository.
Initialization
Initialize a singular retailer, with scrt init.
scrt init --storage=native
--password=p4ssw0rd
--native-route=~/.scrt/retailer.scrt
# retailer initializedThis might perchance seemingly form an empty retailer, in a retailer.scrt file located in .scrt interior your condominium list. The file is encrypted the utilization of a secret key derived from the given password.
The utter material of the file is unreadable:
00000000 e0 97 af ea 86 f7 6a f0 82 06 47 8f fc 54 47 8e |......j...G..TG.|
00000010 89 f9 ca f4 00 98 24 f3 85 1e bd 85 e5 c1 66 43 |......$.......fC|
00000020 d8 5d 47 2b 99 b1 99 fa 2c 07 0a ec 8c 11 |.]G+....,.....|
Configuration
Living your configuration in ambiance variables, so you make now no longer have to form them out every time you hump a present.
export SCRT_STORAGE=native export SCRT_PASSWORD=p4ssw0rd export SCRT_LOCAL_PATH=~/.scrt/retailer.scrt
The utilization of the retailer
Living and retrieve a label for a key the utilization of scrt self-discipline and scrt rating.
scrt self-discipline hiya 'World!' scrt rating hiya # Output: World!
The utter material of the file is easy unreadable, but now contains your value:
00000000 1d cc 02 68 c0 e5 d4 a4 9d 8f ff 14 0c 3b 73 71 |...h.........;sq|
00000010 47 54 2a 78 d8 87 63 fd 29 dc b4 e4 72 c7 0e 57 |GT*x..c.)...r..W|
00000020 be 04 ba e9 7d 36 6d e1 64 47 e2 e2 c0 fb 83 30 |....}6m.dG.....0|
00000030 51 9e ad cf 15 d8 7e 35 77 1c 0c f1 70 be cb 91 |Q.....~5w...p...|
Utilize scrt --reduction to output a full reduction message.
A secret supervisor for the present-line
Utilization:
scrt [command]
Available Instructions:
init Initialize a singular retailer
self-discipline Affiliate a key to a label in a retailer
rating Retrieve the value associated to key from a retailer
checklist List the total keys in a retailer
unset Exhaust away the value associated to key in a retailer
storage List storage kinds and alternatives
reduction Support about any present
Flags:
-c, --config string configuration file
-h, --reduction reduction for scrt
-p, --password string grasp password to unlock the retailer
--storage string storage form
-v, --version version for scrt
Utilize "scrt [command] --reduction" for more knowledge just a few present.
World alternatives
-c, --config: Path to a YAML Configuration file
--storage: storage form, gaze Storage kinds for exiguous print.
-p, --password: password to the retailer. The argument shall be old to secure a key, to decrypt and encrypt the ideas within the retailer.
In the following examples, these alternatives shall be customarily overlooked, as they might perchance possibly also even be configured the utilization of a configuration file or ambiance variables.
Itemizing storage kinds
List all on hand storage kinds and alternatives
Initializing a retailer
Initialize a singular retailer. If an item is already latest at the given set aside, the initialization will fail unless the --overwrite possibility is determined.
Instance
Have a retailer in a retailer.scrt file within the native filesystem, within the latest working list, the utilization of the password "p4ssw0rd".
scrt init --storage=native --password=p4ssw0rd --native-route=./retailer.scrt
Alternatives
--overwrite: when this flag is determined, scrt will overwrite the item at the given set aside, if it exists, as an change of returning an error. If no item exists at the positioning, --overwrite has no attain.
Storing a secret
scrt self-discipline [flags] key [value]
Affiliate a label to a key within the retailer. If value is overlooked from the present
line, this is in a position to well also even be read from normal input.
If a label is already self-discipline for key, the present will fail unless the --overwrite possibility is determined.
Instance
Affiliate Howdy World to the important thing greeting within the retailer, the utilization of implicit retailer configuration (configuration file or ambiance variables).
scrt self-discipline greeting "Howdy World"
Alternatives
--overwrite: when this flag is determined, scrt will overwrite the value for key within the retailer, if it exists, as an change of returning an error. If no value is associated to key, --overwrite has no attain.
Retrieving a secret
Retrieve the value associated to the important thing within the retailer, if it exists. Returns an error if no value is associated to the important thing.
Instance
Retrieve the value associated to the important thing greeting within the retailer, the utilization of implicit retailer configuration (configuration file or ambiance variables).
scrt rating greeting
# Output: Howdy WorldItemizing all secrets and tactics
List the keys of the total secrets and tactics within the retailer.
Instance
List the keys of the total secrets and tactics within the retailer, the utilization of implicit retailer configuration (configuration file or ambiance variables).
scrt checklist
# Output: greetingDeleting a secret
Disassociate the value associated to a key within the retailer. If no value is associated to the important thing, does nothing.
Instance
Exhaust away the value associated to the important thing. After this present, no value shall be associated to the important thing greeting within the retailer.
Repeating the worldwide alternatives every time the scrt present is invoked might perchance possibly also even be verbose. Additionally, some alternatives–indulge in the retailer password–have to no longer be old on the present line on a shared pc, to take hold of remote from security complications.
To forestall this, scrt might perchance possibly also even be configured with a configuration file or the utilization of ambiance variables.
scrt makes employ of the following precedence declare. Each and each item takes precedence over the item underneath it:
- flags
- ambiance variables
- configuration file
Configuration alternatives might perchance possibly also even be regarded as to be chosen from “most train” (flags) to “least train” (configuration file).
Configuration file
The scrt configuration file is a YAML file with the configuration alternatives as keys.
Instance:
storage: native password: p4ssw0rd native: route: ~/.scrt/retailer.scrt
If the --config possibility is given to the current-line, scrt will strive to load the configuration from a file at the given route. Otherwise, it appears to be for any file named .scrt, .scrt.yml or .scrt.yaml within the latest working list, then recursively within the mum or dad list up to the foundation of the filesystem. If this form of file is stumbled on, its values are loaded as configuration.
This is also helpful in configuring the positioning of a retailer for a challenge, by adding a .scrt file at the foundation of the challenge repository. scrt can then be old in CI and other DevOps instruments.
⚠️ Fabricate now no longer add the password to a configuration file in a public git repository!⚠️
Storage form (storage) might perchance possibly also even be neglected in a configuration file. scrt will read the configuration underneath the important thing for the storage form (e.g. native: ). Defining configurations for multiple storage kinds in a single file will discontinuance in undefined conduct.
Ambiance variables
Each and each global possibility has an ambiance variable counterpart. Ambiance variables employ the an analogous title as the configuration possibility, in uppercase letters, prefixed with SCRT_.
storage⇒SCRT_STORAGEpassword⇒SCRT_PASSWORDnative-route⇒SCRT_LOCAL_PATH
To configure a default retailer on your machine, add the following to your .bashrc file (if the utilization of bash):
export SCRT_STORAGE=native export SCRT_PASSWORD=p4ssw0rd export SCRT_LOCAL_PATH=~/.scrt/retailer.scrt
Talk over with your shell interpreter’s documentation to self-discipline ambiance variables whilst you procure yourself making now no longer employ
bash(zsh,hump,tcsh, etc.)
Local:
native retailer secrets and tactics to native filesystem
Flags:
--native-route string path to the retailer within the native filesystem
(required)
S3:
s3 retailer secrets and tactics to AWS S3 or S3-successfully matched object storage
Flags:
--s3-bucket-title string title of the S3 bucket (required)
--s3-endpoint-url string override default S3 endpoint URL
--s3-key string route of the retailer object within the bucket
(required)
--s3-set aside string set aside of the S3 storage
Git:
git retailer secrets and tactics to a git repository
Flags:
--git-branch string branch to checkout, commit and push to on updates
--git-checkout string tree-ish revision to checkout, e.g. commit or label
--git-message string commit message when updating the retailer
--git-route string route of the retailer within the repository (required)
--git-url string URL of the git repository (required)
scrt helps varied storage backends, honest of the secrets and tactics engine. Each and each storage form has a title, and configuration alternatives range in accordance to the chosen form.
Storage kinds might perchance possibly also make stronger extra alternatives. See the documentation underneath for exiguous print.
Local
Utilize the native storage form to form and rating entry to a retailer on your native filesystem.
Instance:
scrt init --storage=native --password=p4ssw0rd --native-route=/tmp/retailer.scrt
Alternatives
--native-route (required): the path to the retailer file on the native filesystem.
S3
Utilize the s3 storage form to form and rating entry to a retailer the utilization of AWS S3 or any successfully matched object storage (such as MinIO).
Instance:
scrt init --storage=s3
--password=p4ssw0rd
--s3-bucket-title=scrt-bucket
--s3-key=/retailer.scrt
scrtmakes employ of your AWS configuration (config recordsdata, ambiance variables) if it might probably perchance also even be stumbled on.
Alternatives
--s3-bucket-title (required): the title of the bucket to save to retailer to
--s3-key (required): the important thing to the retailer object
--s3-set aside: self-discipline the set aside for the S3 bucket
--s3-endpoint-url: when the utilization of an S3-successfully matched object storage rather than AWS, scrt requires the URL of the S3 API endpoint.
Git
Utilize the git storage form to form and rating entry to a retailer in a git repository. scrt will clone the repository in memory, checkout the given branch (or the default branch if no branch is given), read the retailer within the file at the given route, and will commit and push any adjustments to the remote.
Instance:
scrt init --storage=git
--password=p4ssw0rd
--git-url=git@github.com:githubuser/secrets and tactics.git
--git-route=retailer.scrt
scrtwill initialize a singular repo if none might perchance possibly also even be cloned.
Alternatives
--git-url (required): a git-successfully matched repository URL. Most git-successfully matched URLs and protocols might perchance possibly also even be old. See git clone documentation to be taught more.
--git-route (required): the path to the retailer file interior the the git repository, relative to the repository root. A repository can gather multiple scrt retail outlets, at diversified paths.
--git-branch: the title of the branch to checkout after cloning (or initializing). If no branch is given, the default branch from the remote shall be old, or foremost if a singular repository is initialized.
--git-checkout: a git revision to checkout. If specified, the revision shall be checked out in a “level-headed HEAD” and pushing is now no longer going to work; making updates (init, self-discipline or unset) shall be now no longer attainable.
--git-message: the message of the git commit. A default message shall be old if this is now no longer self-discipline.
How attain you reveal scrt?
No one knows. It be either “secret” without the e’s; or “skrrt” indulge in a Migos ad-lib.
What’s the cryptography unhurried scrt?
scrt depends on the alternate-normal AES symmetric encryption algorithm with 256-bit keys, with GCM mode of operation (AES-256-GCM, in OpenSSL parlance).
The encryption keys are derived from the password the utilization of the Argon2id key derivation function. A brand unique random salt is old every time the retailer is written to, preventing reuse of existing cryptographic keys.
Does scrt retailer my keys? Must I be nervous about my secrets and tactics being intercepted?
scrt would no longer save keys within the retailer, nor does it switch any plaintext over the wire. All decryption and encryption happens on your pc while the program is working. This is the finest manner to provide full privateness and zero-belief security.
The downside to this is that the whole retailer might perchance possibly also easy be loaded into memory, seemingly downloading it throughout the community, decrypted, and seemingly reencrypted (on a mutating operation indulge in self-discipline or unset) every time you hump scrt. If the scale of your retailer turns into a declare, there are workarounds indulge in splitting your retailer into multiple retail outlets, or downloading the whole retailer to the native filesystem sooner than the utilization of it.
I misplaced my password, how can I enhance my secrets and tactics?
I’ve purchased some very finest recordsdata and a few nefarious recordsdata.
The nefarious recordsdata: you are doomed. Your secrets and tactics are encrypted with a key that will easiest be derived out of your password. scrt would no longer retailer or put collectively keys. There isn’t very a manner to enhance your secrets and tactics without your password.
The very finest recordsdata: you nearly in actual fact might perchance possibly also now no longer lose your password again.