Expand description
Encrypted secrets manager for developers — one file, age encryption, git-friendly.
This library provides the core functionality for murk: vault I/O, age encryption, BIP39 key recovery, and secret management. The CLI binary wraps this library.
Re-exports§
pub use error::MurkError;pub use github::GitHubError;pub use github::fetch_keys;pub use crypto::MurkIdentity;pub use crypto::MurkRecipient;
Modules§
- crypto
- error
- Unified error type for the murk library.
- github
- GitHub SSH key fetching for
murk authorize github:username. - recovery
- types
- vault
Structs§
- Diff
Entry - A single entry in a secret diff.
- Discovered
Key - A key discovered from the environment or .env file.
- Info
Entry - A single key entry in the vault info output.
- Init
Status - Status of an existing vault relative to a given key.
- Merge
Driver Output - Output of the merge driver: the merge result and whether meta was regenerated.
- Recipient
Entry - A single recipient entry with resolved display info.
- Revoke
Result - Result of revoking a recipient.
- Vault
Info - Aggregated vault information for display.
Enums§
- Diff
Kind - The kind of change in a diff entry.
- Envrc
Status - Status of
.envrcafter writing. - Merge
Driver Setup Step - A step completed during merge driver setup.
Functions§
- add_
secret - Add or update a secret in the working state.
If
scopedis true, stores in scoped (encrypted to self only). Returns true if the key was new (no existing schema entry). - authorize_
recipient - Add a recipient to the vault. Returns an error if the pubkey is invalid or already present.
- check_
init_ status - Check whether a secret key is authorized in an existing vault.
- create_
vault - Create a new vault with a single recipient.
- decrypt_
value - Decrypt a base64-encoded ciphertext and return plaintext bytes.
- decrypt_
vault - Decrypt a vault using the given identity. Verifies integrity, decrypts all shared and scoped values, and returns the working state.
- decrypt_
vault_ values - Decrypt all shared secret values from a vault.
- describe_
key - Update or create a schema entry for a key.
- diff_
secrets - Compare two sets of secret values and return the differences.
- discover_
existing_ key - Try to find an existing age key: checks
MURK_KEYenv var first, then falls back to.envfile. ReturnsNoneif neither is set. - dotenv_
has_ murk_ key - Check whether
.envalready contains aMURK_KEYline. - encrypt_
value - Encrypt a value and return base64-encoded ciphertext.
- export_
secrets - Build shell-escaped export key-value pairs for
eval $(murk export). Wraps values in single quotes with embedded quote escaping. - format_
diff_ lines - Format diff entries as display lines. Returns plain-text lines (no ANSI colors) suitable for testing.
- format_
info_ lines - Format vault info as plain-text lines (no ANSI colors).
has_metaindicates whether scoped/tag columns should be shown. - format_
recipient_ lines - Group recipient entries by display name and format for display. Returns plain-text lines (no ANSI colors).
- get_
secret - Look up a decrypted value. Scoped overrides take priority over shared values.
- import_
secrets - Import multiple secrets at once.
- is_
valid_ key_ name - Check whether a key name is a valid shell identifier (safe for
export KEY=...). Must start with a letter or underscore, and contain only[A-Za-z0-9_]. - key_
file_ path - Compute the key file path for a vault:
~/.config/murk/keys/<hash>. The hash is a truncated SHA-256 of the absolute vault path. - key_
type_ label - Return the key type label for a pubkey string.
- list_
keys - Return key names from the vault schema, optionally filtered by tags.
- list_
recipients - List all recipients in the vault with optional name resolution.
- load_
vault - Resolve the key from the environment, read the vault, and decrypt it.
- parse_
and_ decrypt_ values - Parse a vault from its JSON string and decrypt all shared values.
- parse_
env - Parse a .env file into key-value pairs.
Skips comments, blank lines,
MURK_*keys, and strips quotes andexportprefixes. - read_
key_ from_ dotenv - Read MURK_KEY from
.envfile if present. - read_
vault - Read a vault file from disk.
- remove_
secret - Remove a secret from the working state and schema.
- resolve_
key - Resolve the secret key, checking in order:
- resolve_
key_ for_ vault - Resolve the secret key for a specific vault, checking in order:
- resolve_
secrets - Merge scoped overrides over shared values and filter by tag. Returns raw (unescaped) values suitable for env var injection.
- revoke_
recipient - Remove a recipient from the vault.
recipientcan be a pubkey or a display name. - run_
merge_ driver - Run the three-way merge driver on vault contents (as strings).
- save_
vault - Save the vault: compare against original state and only re-encrypt changed values. Unchanged values keep their original ciphertext for minimal git diffs.
- setup_
merge_ driver - Configure git to use murk’s custom merge driver for
.murkfiles. - truncate_
pubkey - Truncate a pubkey for display, keeping start and end.
- vault_
info - Compute vault info from raw vault bytes.
- warn_
env_ permissions - Warn if
.envhas loose permissions (Unix only). - write_
envrc - Write a
.envrcfile for direnv integration. - write_
key_ ref_ to_ dotenv - Write a MURK_KEY_FILE reference to
.env, removing any existing MURK_KEY/MURK_KEY_FILE lines. - write_
key_ to_ dotenv - Write a MURK_KEY to
.env, removing any existing MURK_KEY lines. On Unix, sets file permissions to 600 atomically at creation time to prevent a TOCTOU window where the secret key is world-readable. On non-Unix platforms, permissions are not hardened. - write_
key_ to_ file - Write a secret key to a file with restricted permissions.