1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
//! # ks — Key Store
//!
//! A modern, local-first, git-friendly secret manager built on the
//! [`age`](https://age-encryption.org/) encryption format.
//!
//! ## Architecture
//!
//! - **Identity** (`identity.age`): a single X25519 secret key, encrypted
//! to the user's passphrase using age scrypt mode. Stays local.
//! - **Recipients** (`store/.recipients`): plaintext list of age public keys
//! allowed to decrypt this store. Lives inside the store, safe to git-sync.
//! - **Secrets** (`store/<path>.age`): each secret is its own
//! recipient-encrypted age file containing a small JSON blob.
//!
//! ## Quick start
//!
//! ```no_run
//! use age::secrecy::SecretString;
//! use ks::{Config, Secret, Store, identity};
//!
//! let config = Config::load().expect("load config");
//! let pp = SecretString::from("hunter2".to_owned());
//! let id = identity::create(&config.identity_path, pp).expect("init identity");
//! let store = Store::create(config, id, &[]).expect("init store");
//!
//! store.set("github/token", &Secret::new("ghp_xxx")).expect("set");
//! let token = store.get("github/token").expect("get");
//! assert_eq!(&*token.value, "ghp_xxx");
//! ```
/// OS-keyring backed session cache.
/// Runtime configuration (paths, tunables).
/// Low-level age encryption primitives.
/// Library-wide error and result types.
/// Thin wrapper over the system `git` binary.
/// Age identity file management.
/// Logical secret path validation.
/// Cryptographically-random secret generation.
/// Recipient list management.
/// Secret value data model.
/// The encrypted secret store.
/// RFC 6238 TOTP generation.
pub use x25519;
pub use ;
pub use ;
pub use ;
pub use Store;