Expand description
Encrypted secrets manager for developers — one file, age encryption, git-friendly.
This library provides the core functionality for murk: vault I/O, age encryption, BIP39 key recovery, and secret management. The CLI binary wraps this library.
Re-exports§
pub use env::parse_env;pub use env::resolve_key;pub use env::warn_env_permissions;pub use export::DiffEntry;pub use export::DiffKind;pub use export::diff_secrets;pub use export::export_secrets;pub use export::resolve_secrets;pub use recipients::RevokeResult;pub use recipients::revoke_recipient;pub use secrets::add_secret;pub use secrets::describe_key;pub use secrets::get_secret;pub use secrets::list_keys;pub use secrets::remove_secret;
Modules§
- codename
- Computed codenames for vault files.
- crypto
- env
- Environment and
.envfile handling. - export
- Export and diff logic for vault secrets.
- integrity
- merge
- Three-way merge driver for
.murkvault files. - recipients
- Recipient management: authorize and revoke vault access.
- recovery
- secrets
- Secret CRUD operations on the in-memory
Murkstate. - types
- vault
Functions§
- compute_
mac - Compute an integrity MAC over the vault’s secrets and schema. Covers: sorted key names, encrypted shared values, recipient pubkeys.
- decrypt_
value - Decrypt a base64-encoded ciphertext and return plaintext bytes.
- encrypt_
value - Encrypt a value and return base64-encoded ciphertext.
- load_
vault - Load the vault: read JSON, decrypt all values, return working state. Returns the raw vault (for preserving unchanged ciphertext on save), the decrypted murk, and the identity.
- now_utc
- Generate an ISO-8601 UTC timestamp.
- save_
vault - Save the vault: compare against original state and only re-encrypt changed values. Unchanged values keep their original ciphertext for minimal git diffs.