Crate dugout 

A local secrets manager for development teams

Dugout encrypts secrets at rest using age encryption with optional cloud KMS hybrid mode (AWS KMS, GCP KMS) and provides a simple CLI for managing secrets across teams.

Quick start

use dugout::Vault;

let mut vault = Vault::open()?;
vault.set("DATABASE_URL", "postgres://localhost/db", false)?;
let value = vault.get("DATABASE_URL")?;

Architecture

The crate is organized into two main modules:

• core: Library code with Vault as the main entry point
• cli: Command-line interface and user-facing commands

Core Components

• Vault: Main API for all secret operations
• Domain types: Secret, Recipient, Identity, Env, Diff
• Cipher backends: age (default) + hybrid age+KMS
• Configuration in .dugout.toml

Features

• Fast: Age encryption with x25519 keys
• Team-ready: Multiple recipients, key rotation
• Flexible: Two cipher backends: age (default) and hybrid age+KMS
• Developer-friendly: .env file integration, shell completion
• Secure: No secrets in git history, encrypted at rest

Example: Initialize and use a vault

use dugout::Vault;

// Initialize a new vault with default age cipher
let mut vault = Vault::init("alice", None)?;

// Set a secret
vault.set("DATABASE_URL", "postgres://localhost/db", false)?;

// Get a secret
let value = vault.get("DATABASE_URL")?;

// Add a team member
vault.add_recipient("bob", "age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p")?;

// List all secrets
for secret in vault.list() {
    println!("{}", secret.key());
}

Re-exports

pub use core::vault::Vault;

pub use core::domain::*;

pub use core::types::*;

Modules

cli

Command-line interface.

core

Core library components.

error

Error types for Dugout