Skip to main content

Crate ks

Crate ks 

Source
Expand description

§ks — Key Store

A modern, local-first, git-friendly secret manager built on the age encryption format.

§Architecture

  • Identity (identity.age): a single X25519 secret key, encrypted to the user’s passphrase with age scrypt mode. Stays local.
  • Recipients (store/.age-recipients): a plaintext list of age1… public keys allowed to decrypt this store. Git-synced with the secrets.
  • Secrets (store/<path>.age): each secret is its own recipient-encrypted age file whose plaintext is just text — the first line is the value, key: value lines are fields. age -d secret.age is human-readable and interoperable with the age / rage CLIs.

§Asymmetry

Encryption needs only the public recipients, so writing secrets never prompts for a passphrase. Only reading (and rotating recipients) requires the unlocked x25519::Identity.

use age::secrecy::SecretString;
use ks::{Config, Secret, Store, crypto};

fn main() -> ks::Result<()> {
    let config = Config::load()?;
    let pp = SecretString::from("hunter2".to_owned());
    let id = crypto::create_identity(&config.identity_path, pp)?;
    let store = Store::create(config, &id, &[])?;

    store.set("github/token", &Secret::new("ghp_xxx\nuser: alice"))?; // no unlock
    let token = store.get("github/token", &id)?;
    assert_eq!(token.password(), "ghp_xxx");
    Ok(())
}

Re-exports§

pub use config::Config;
pub use error::Error;
pub use error::Result;
pub use secret::Secret;
pub use secret::SecretKind;
pub use store::RotationRecovery;
pub use store::Store;

Modules§

config
Runtime configuration (filesystem paths). Runtime configuration: filesystem paths.
crypto
age encryption primitives, identity file, and recipient list. age-based cryptography: the building blocks for the whole store.
error
Library-wide error and result types. Library-wide error and result types.
git
Thin wrapper over the system git binary. Thin wrapper over the system git binary.
path
Logical secret path validation. Logical secret path validation and filesystem mapping.
pwgen
Cryptographically-random secret generation. Cryptographically-random secret generation.
secret
Plaintext secret model. Plaintext secret model.
store
The encrypted secret store. The encrypted secret store.
totp
RFC 6238 TOTP generation. RFC 6238 TOTP code generation.
x25519
The “x25519” recipient type, native to age.