dugout 0.1.10

Highlights

• Git-native — secrets live in your repo as encrypted values, access control is git commits
• No server required — no SaaS, no cloud dependency, no infrastructure to manage
• Team-friendly — knock / admit workflow for access requests, all through git
• Multi-vault — separate secrets for dev, staging, prod in the same repo
• Encrypted at rest — age encryption by default, optional AWS KMS, GCP KMS
• Hardware-backed security — automatic macOS Keychain integration with Secure Enclave & TouchID
• Zero config — dugout init and start adding secrets
• Auto-detect — dugout . detects your stack and runs with secrets injected
• Fast — encrypts in ~100µs, single binary, no runtime dependencies
• Vendor-agnostic — works with any git host, any infrastructure, any language

Comparison

*Vault BSL license

Installation

Install dugout with our standalone installers:

# On macOS and Linux.
curl -LsSf https://raw.githubusercontent.com/usemantle/dugout/main/scripts/install.sh | sh

# On Windows.
powershell -ExecutionPolicy ByPass -c "irm https://raw.githubusercontent.com/usemantle/dugout/main/scripts/install.ps1 | iex"

Or, with Homebrew:

brew install usemantle/tap/dugout

Or, from crates.io:

cargo install dugout

Or, from source:

git clone https://github.com/usemantle/dugout && cd dugout
cargo install --path .

Quick Start

# One-time identity setup
dugout setup

# Initialize in your project
cd my-app
dugout init

# Add secrets
dugout set DATABASE_URL postgres://localhost/db
dugout set STRIPE_KEY sk_live_xxx

# Run your app with secrets (auto-detect)
dugout .

# Or run any command with secrets injected
dugout run -- npm start
dugout run -- python manage.py runserver
dugout run -- cargo run

Team Workflow

# Alice creates the project
dugout init
dugout set API_KEY sk_live_xxx
git add .dugout.toml && git commit -m "init vault" && git push

# Bob clones and requests access
git clone ... && cd project
dugout knock
git add .dugout/requests/ && git commit -m "request access" && git push

# Alice approves
git pull
dugout admit bob
git commit -am "grant bob access" && git push

# Bob pulls and runs
git pull
dugout .

No Slack DMs. No shared password vaults. No .env files in git history. Access requests and approvals are git commits.

Commands

macOS Keychain Integration

Keychain integration is default on macOS:

If Keychain is unavailable or you're in a headless environment (CI, SSH, Docker), you must explicitly enable filesystem storage:

# Use filesystem storage instead of Keychain
DUGOUT_NO_KEYCHAIN=1 dugout setup
DUGOUT_NO_KEYCHAIN=1 dugout init

Migrating Existing Keys

If you have existing file-based keys, migrate them to Keychain:

# Migrate all identities (global + project keys)
dugout migrate-keychain

# Migrate and delete files after successful migration
dugout migrate-keychain --delete

# Skip confirmation prompts
dugout migrate-keychain --delete --force

Verifying Keychain Storage

Check if your identity is stored in Keychain:

# Open Keychain Access app
open /System/Applications/Utilities/Keychain\ Access.app

# Search for "dugout" in the search box
# Look for items with:
#   - Service: "com.usemantle.dugout"
#   - Account: "global" or your project ID

Or use the command line:

# Check for global identity in Keychain
security find-generic-password -s "com.usemantle.dugout" -a "global"

# Check for project-specific identity
security find-generic-password -s "com.usemantle.dugout" -a "<project-id>"

If the key exists in Keychain, you'll see output like:

keychain: "/Users/you/Library/Keychains/login.keychain-db"
class: "genp"
attributes:
    "acct"<blob>="global"
    "svce"<blob>="com.usemantle.dugout"
    ...

Multi-Vault

Manage separate secret sets for different environments (dev, staging, prod) in the same repository.

# Create vaults for different environments
dugout init                         # Creates .dugout.toml (default)
dugout init --vault dev             # Creates .dugout.dev.toml
dugout init --vault prod            # Creates .dugout.prod.toml

# Set secrets in specific vaults
dugout --vault dev set API_KEY sk_test_xxx
dugout --vault prod set API_KEY sk_live_xxx

# List all vaults
dugout vault list

# Run with specific vault
dugout --vault dev .
dugout --vault prod run -- ./deploy.sh

# Or use environment variable
export DUGOUT_VAULT=dev
dugout .

When only one vault exists, no flag is needed. With multiple vaults, use --vault or DUGOUT_VAULT to select one.

Cipher Backends

# Initialize with hybrid encryption (age + KMS)
dugout init --kms arn:aws:kms:us-east-1:...

# Install with AWS KMS support
cargo install dugout --features aws

See the full KMS Integration Guide for AWS, GCP, IAM setup, and multi-region.

CI/CD

GitHub Actions

- uses: usemantle/setup-dugout@v1
  with:
    identity: ${{ secrets.DUGOUT_IDENTITY }}
  env:
    DUGOUT_NO_KEYCHAIN: "1"  # Required on macOS runners

- run: dugout run -- npm test
  env:
    DUGOUT_NO_KEYCHAIN: "1"  # Required on macOS runners

See usemantle/setup-dugout for version pinning, KMS-only mode, and more examples.

Other environments

# Any CI — set both DUGOUT_IDENTITY and DUGOUT_NO_KEYCHAIN
export DUGOUT_IDENTITY="AGE-SECRET-KEY-1..."
export DUGOUT_NO_KEYCHAIN=1  # Disable Keychain in CI
dugout run -- ./deploy.sh

# Docker (macOS host)
docker run \
  -e DUGOUT_IDENTITY="$KEY" \
  -e DUGOUT_NO_KEYCHAIN=1 \
  myapp

See the full Deployment Guide for GitLab, Kubernetes, and more.

Benchmarks

Measured with Criterion. See BENCHMARKS.md for methodology.

Contributing

See CONTRIBUTING.md for setup and guidelines.

License

Licensed under either of:

• MIT License
• Apache License, Version 2.0

at your option.