ks — Key Store

A modern, local-first, git-friendly secret manager built on the age encryption format.

Architecture

• Identity (identity.age): a single X25519 secret key, encrypted to the user's passphrase using age scrypt mode. Stays local.
• Recipients (store/.recipients): plaintext list of age public keys allowed to decrypt this store. Lives inside the store, safe to git-sync.
• Secrets (store/<path>.age): each secret is its own recipient-encrypted age file containing a small JSON blob.

Quick start

use age::secrecy::SecretString;
use ks::{Config, Secret, Store, identity};

let config = Config::load().expect("load config");
let pp = SecretString::from("hunter2".to_owned());
let id = identity::create(&config.identity_path, pp).expect("init identity");
let store = Store::create(config, id, &[]).expect("init store");

store.set("github/token", &Secret::new("ghp_xxx")).expect("set");
let token = store.get("github/token").expect("get");
assert_eq!(&*token.value, "ghp_xxx");