nu_plugin_secret
Production-grade Nushell plugin for secure handling of sensitive data with 8 comprehensive secret types that prevent accidental exposure.
π Security First
This plugin provides secure custom types that always display as
<redacted:type> to prevent accidental exposure of sensitive information like
API keys, passwords, tokens, and other confidential data in logs, debug output,
or command history.
β¨ Features
-
8 Secret Types: Complete coverage of Nushell's core data types
SecretString- API keys, passwords, tokensSecretInt- sensitive numbers, IDs, portsSecretBool- sensitive flags, permissionsSecretRecord- configuration objects, credentialsSecretList- arrays of sensitive dataSecretFloat- financial data, coordinates, measurementsSecretBinary- certificates, keys, encrypted dataSecretDate- timestamps, birthdates, sensitive dates
-
Memory Safety: Automatic secure cleanup with ZeroizeOnDrop
-
Timing Attack Protection: Constant-time equality comparison
-
Type Safety: Clear distinction between secret and regular data
-
Pipeline Integration: Works seamlessly with Nushell data flows
-
Security Warnings: Built-in warnings for sensitive operations
π¦ Installation
# Build the plugin
# Register with Nushell
βοΈ Configuration
The plugin supports extensive configuration including:
- Security levels: minimal, standard, paranoid
- Custom redaction templates: Using Tera templating engine
- Template functions: replicate, mask_partial, take, reverse, strlen
- Audit logging: Track secret operations
- Environment overrides: For development workflows
See Configuration Guide for complete documentation.
# View current configuration
secret config show
# Interactive configuration
secret configure
# Validate configuration and templates
secret config validate
π Commands
Wrap Command
Convert values to secret types using the unified secret wrap command:
"my-api-key" | secret wrap # <redacted:string>
42 | secret wrap # <redacted:int>
true | secret wrap # <redacted:bool>
{key: "value"} | secret wrap # <redacted:record>
["item1", "item2"] | secret wrap # <redacted:list>
3.14159 | secret wrap # <redacted:float>
0x[deadbeef] | secret wrap # <redacted:binary>
date now | secret wrap # <redacted:date>
Utility Commands
secret unwrap
Extract the underlying value (with security warning):
$secret_value | secret unwrap
# WARNING: Extracting sensitive data from secret type...
# Output: original value
secret validate
Check if a value is a secret type:
$value | secret validate
# Output: true/false
secret type-of
Get the underlying type without exposing content:
$secret_value | secret type-of
# Output: string, int, bool, record, list, float, binary, or date
secret info
Display plugin information and security guidance:
secret info
π‘οΈ Security Features
Display Layer Protection
- Zero Accidental Exposure: Secret values never display actual content in console output, logs, or debug information
- Debug Safety: Debug output (
{:?}) never shows sensitive content - Redacted Display: All secret types show as
<redacted:type>in output
Functional Pipeline Support
- Serialization for Unwrap: Internal serialization contains actual data to
enable proper
unwrapoperations and pipeline functionality - Pipeline Integration: Secrets work seamlessly in Nushell data flows between commands and through plugin communication
Core Security
- Memory Safety: Secure cleanup via ZeroizeOnDrop on all secret types
- Constant-Time Comparison: Prevents timing attacks across all types
- Type Safety: Comprehensive validation and error handling
Security Model
This plugin uses a dual-layer security approach:
- Display/Debug Layer: Always redacted to prevent accidental exposure
- Functional Layer: Serialization enables unwrap operations while maintaining memory safety and secure display behavior
π‘ Usage Examples
# Secure API key handling
let $api_key = ($env.API_KEY | secret wrap)
http get "https://example.com/api" \
-H [Authorization $"Bearer ($api_key | secret unwrap)"]
# Database configuration with mixed types
let $db_config = {
host: "localhost",
port: (5432 | secret wrap),
password: ($env.DB_PASSWORD | secret wrap),
ssl: (true | secret wrap)
}
# Financial data protection
let $balance = (1234.56 | secret wrap)
let $account_id = (9876543210 | secret wrap)
# Binary data (certificates, keys)
open cert.pem | secret wrap
# Sensitive timestamps
date now | secret wrap
# Validate and process secrets
if ($value | secret validate) {
let $type = ($value | secret type-of)
print $"Processing secret ($type)"
}
π― Current Status
β v0.1.1 Released: Functional Serialization & Comprehensive Testing
- 12 Commands: 8 wrap commands + 4 utility commands
- 189+ Tests: Comprehensive Rust unit tests + Nushell script tests
- Functional Unwrap: Serialization enables proper unwrap operations
- Security Validated: Display/debug remain redacted, all security tests passing
- Production Ready: Memory-safe, secure, and performant with full pipeline support
πΊοΈ Roadmap
β
Phase 1: SecretString with core commands
β
Phase 2: SecretInt, SecretBool, SecretRecord, SecretList
β
Phase 2+: SecretFloat, SecretBinary, SecretDate
β
Phase 5: Functional serialization with dual-layer security model
β
Phase 5.6: Comprehensive testing framework and unwrap functionality
π Phase 6: CI/CD pipeline integration
π Phase 7: Security audit and production hardening
π οΈ Development
# Run all Rust tests (179+ tests)
# Run Nushell integration tests
# Quick Nushell test
# Check code quality
# Build documentation
# Performance testing
π License
BSD 3-Clause License - see LICENSE for details.
π€ Contributing
Contributions welcome! Please read our security guidelines before submitting PRs involving sensitive data handling.
β οΈ Security Notice
This plugin is designed for defensive security purposes only. Always follow security best practices when handling sensitive data. All secret types use memory-safe implementations with automatic cleanup to prevent information leakage.