secretgarden 0.1.1

tool for generating and securely storing secrets
secretgarden-0.1.1 is not a library.

secretgarden

secretgarden is a self-contained CLI that generates and securely stores secrets like the following:

  • Passwords
  • SSH keys
  • TLS/X.509 certificates (coming soon)
  • Opaque values

It's made for sysadmins that manage a small set of systems by themselves. Secrets are kept safe with a key derived from your SSH key (in concert with NaCl's secretbox and the argon2 hash).

The interaction model is strongly inspired by a credential server called CredHub, where an automated deployment tool can ask for a secret that is:

  • Securely stored
  • Automatically generated if it does not exist
  • Re-generated if the secret's options have changed
  • Easy to generate based on other certificates (CAs with child certificates, for instance)

Installation

Currently, secretgarden can only be installed from source. Install Rust via rustup or OS packages, then run $ cargo install --path . from inside this directory. (Make sure that ~/.cargo/bin is in your $PATH.)

Usage

Prerequisites

Before getting started, make sure that you have ssh-agent running, and that you've added keys to it:

$ ssh-add -l
256 SHA256:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA me@home (ED25519)
...

If $ ssh-add -l returns nothing, then add your SSH key with $ ssh-add.

Note: only RSA and ED25519 keys are accepted. DSA and ECDSA keys generate random signatures, making them unusable for key derivation.

If it returns an error, you likely aren't running ssh-agent. You can start it for your current shell with $ eval $(ssh-agent), but should probably add that command to your login script.

Getting autogenerated secrets

Secrets are retrieved via subcommands of secretgarden. For instance, to retrieve a 32-character random password named mysql-root-password, run:

$ secretgarden password mysql-root-password --length 32
nEIn5JwTCpaIrGGpCehuP6rVbCgKLWow

If this password doesn't exist, it will be generated and stored.

SSH keys can be generated similarly:

$ secretgarden ssh-key jumpbox-ssh-key
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

The public key can be retrieved with --public:

$ secretgarden ssh-key jumpbox-ssh-key --public
ssh-ed25519 ...

Storing opaque values

Some secrets might be dictated to you (API tokens, etc.), but it can still be useful to store them alongside generated secrets.

Opaque (non-generated) values can be set with secretgarden set-opaque and retrieved with secretgarden opaque:

$ secretgarden set-opaque api-token
<enter secret value>
$ secretgarden opaque api-token
<your secret value>