Skip to main content

Crate ks

Crate ks 

Source
Expand description

§ks — Key Store

A modern, local-first, git-friendly secret manager built on the age encryption format.

§Architecture

  • Identity (identity.age): a single X25519 secret key, encrypted to the user’s passphrase using age scrypt mode. Stays local.
  • Recipients (store/.recipients): plaintext list of age public keys allowed to decrypt this store. Lives inside the store, safe to git-sync.
  • Secrets (store/<path>.age): each secret is its own recipient-encrypted age file containing a small JSON blob.

§Quick start

use age::secrecy::SecretString;
use ks::{Config, Secret, Store, identity};

let config = Config::load().expect("load config");
let pp = SecretString::from("hunter2".to_owned());
let id = identity::create(&config.identity_path, pp).expect("init identity");
let store = Store::create(config, id, &[]).expect("init store");

store.set("github/token", &Secret::new("ghp_xxx")).expect("set");
let token = store.get("github/token").expect("get");
assert_eq!(&*token.value, "ghp_xxx");

Re-exports§

pub use config::Config;
pub use config::Tunables;
pub use error::Error;
pub use error::Result;
pub use secret::Kind;
pub use secret::Secret;
pub use store::Store;

Modules§

agent
OS-keyring backed session cache. OS-keyring backed session cache for unlocked identities.
config
Runtime configuration (paths, tunables). Runtime configuration: paths and tunables.
crypto
Low-level age encryption primitives. Thin, allocation-conscious wrappers around the age crate.
error
Library-wide error and result types. Library-wide error and result types.
git
Thin wrapper over the system git binary. Thin wrapper over the system git binary.
identity
Age identity file management. Age identity file management.
path
Logical secret path validation. Logical secret path validation and filesystem mapping.
pwgen
Cryptographically-random secret generation. Cryptographically-random secret generation.
recipient
Recipient list management. Recipient list management.
secret
Secret value data model. Secret value data model.
store
The encrypted secret store. The encrypted secret store.
totp
RFC 6238 TOTP generation. RFC 6238 TOTP code generation.
x25519
The “x25519” recipient type, native to age.