Expand description
Encrypted secrets manager for developers — one file, age encryption, git-friendly.
This library provides the core functionality for murk: vault I/O, age encryption, BIP39 key recovery, and secret management. The CLI binary wraps this library.
Re-exports§
pub use env::EnvrcStatus;pub use env::dotenv_has_murk_key;pub use env::parse_env;pub use env::read_key_from_dotenv;pub use env::resolve_key;pub use env::warn_env_permissions;pub use env::write_envrc;pub use env::write_key_to_dotenv;pub use export::DiffEntry;pub use export::DiffKind;pub use export::decrypt_vault_values;pub use export::diff_secrets;pub use export::export_secrets;pub use export::format_diff_lines;pub use export::parse_and_decrypt_values;pub use export::resolve_secrets;pub use git::MergeDriverSetupStep;pub use git::setup_merge_driver;pub use github::GitHubError;pub use github::fetch_keys;pub use info::InfoEntry;pub use info::VaultInfo;pub use info::format_info_lines;pub use info::vault_info;pub use init::DiscoveredKey;pub use init::InitStatus;pub use init::check_init_status;pub use init::create_vault;pub use init::discover_existing_key;pub use merge::MergeDriverOutput;pub use merge::run_merge_driver;pub use recipients::RecipientEntry;pub use recipients::RevokeResult;pub use recipients::format_recipient_lines;pub use recipients::key_type_label;pub use recipients::list_recipients;pub use recipients::revoke_recipient;pub use recipients::truncate_pubkey;pub use secrets::add_secret;pub use secrets::describe_key;pub use secrets::get_secret;pub use secrets::import_secrets;pub use secrets::list_keys;pub use secrets::remove_secret;pub use crypto::MurkIdentity;pub use crypto::MurkRecipient;
Modules§
- codename
- Computed codenames for vault files.
- crypto
- env
- Environment and
.envfile handling. - export
- Export and diff logic for vault secrets.
- git
- Git integration helpers (merge driver setup).
- github
- GitHub SSH key fetching for
murk authorize github:username. - info
- Vault info/introspection logic.
- init
- Vault initialization logic.
- merge
- Three-way merge driver for
.murkvault files. - recipients
- Recipient management: authorize, revoke, and list vault recipients.
- recovery
- secrets
- Secret CRUD operations on the in-memory
Murkstate. - types
- vault
Functions§
- decrypt_
value - Decrypt a base64-encoded ciphertext and return plaintext bytes.
- encrypt_
value - Encrypt a value and return base64-encoded ciphertext.
- is_
valid_ key_ name - Check whether a key name is a valid shell identifier (safe for
export KEY=...). Must start with a letter or underscore, and contain only[A-Za-z0-9_]. - load_
vault - Load the vault: read JSON, decrypt all values, return working state. Returns the raw vault (for preserving unchanged ciphertext on save), the decrypted murk, and the identity.
- save_
vault - Save the vault: compare against original state and only re-encrypt changed values. Unchanged values keep their original ciphertext for minimal git diffs.