GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → mqnfred → hips

mqnfred / hips

Licence: other
Manage secrets alongside your code

Programming Languages

rust
11053 projects

Labels

encryptionsecretssecret-managers

Projects that are alternatives of or similar to hips

k8s-vault-webhook
A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers
Stars: ✭ 107 (+529.41%)
Mutual labels:  secrets, secret-managers
sec
Tiny library for using secrets in Python applications
Stars: ✭ 20 (+17.65%)
Mutual labels:  secrets
QR-secret-sharing
🔒 Create QR codes to secret-share a message. Ideal for cryptocurrency wallet recovery keys and passwords.
Stars: ✭ 94 (+452.94%)
Mutual labels:  secrets
secrets
Useful to get input on noecho, secrets, passwords, token, hints
Stars: ✭ 13 (-23.53%)
Mutual labels:  secrets
githubsecrets
Manage your GitHub Actions secrets with a simple CLI
Stars: ✭ 41 (+141.18%)
Mutual labels:  secrets
secrets
Not Yet Another Password Manager written in Go using libsodium
Stars: ✭ 28 (+64.71%)
Mutual labels:  secrets
terraform-aws-ssm-parameter-store
Terraform module to populate AWS Systems Manager (SSM) Parameter Store with values from Terraform. Works great with Chamber.
Stars: ✭ 87 (+411.76%)
Mutual labels:  secrets
terraform-aws-secrets-manager
Terraform module to create Amazon Secrets Manager resources.
Stars: ✭ 37 (+117.65%)
Mutual labels:  secrets
airgap
Offline LiveUSB to generate and manage secret keys for things such as gpg, certificates, and cryptocurrency
Stars: ✭ 92 (+441.18%)
Mutual labels:  secrets
vault-sidecar-injector
Kubernetes admission webhook for secure, seamless and dynamic handling of secrets in your applications
Stars: ✭ 55 (+223.53%)
Mutual labels:  secrets
ok-to-test
Example workflow configuration showing how to use GitHub Actions secrets in pull requests from forks 🍴🔑
Stars: ✭ 58 (+241.18%)
Mutual labels:  secrets
ssh-credentials-plugin
No description or website provided.
Stars: ✭ 23 (+35.29%)
Mutual labels:  secrets
s3cr3t
A supercharged S3 reverse proxy
Stars: ✭ 55 (+223.53%)
Mutual labels:  secrets
vault-monkey
Extract secrets from your vault in a multi-machine cluster environment.
Stars: ✭ 12 (-29.41%)
Mutual labels:  secrets
exenv
Exenv makes loading environment variables from external sources easy.
Stars: ✭ 35 (+105.88%)
Mutual labels:  secrets
secret-sidecar
A Kubernetes init container that retrieves a secret from AWS Secrets Manager
Stars: ✭ 24 (+41.18%)
Mutual labels:  secrets
secret config
Centralized Configuration and Secrets Management for Ruby and Rails applications.
Stars: ✭ 15 (-11.76%)
Mutual labels:  secrets
carvel-secretgen-controller
secretgen-controller provides CRDs to specify what secrets need to be on Kubernetes cluster (to be generated or not)
Stars: ✭ 54 (+217.65%)
Mutual labels:  secrets
configurator
Synchronize and Version Control ConfigMaps & Secrets across Deployment Rollouts.
Stars: ✭ 68 (+300%)
Mutual labels:  secrets
teller
Cloud native secrets management for developers - never leave your command line for secrets.
Stars: ✭ 998 (+5770.59%)
Mutual labels:  secrets
View All Similar Projects ➔

Hide in plain sight

crates.io

hips is a small, self-contained utility that enables users to store their secrets encrypted alongside their code. It can be used as a binary or a library depending on your needs. What are you interested in knowing?

  1. Why do this?
  2. Let's try it out
  3. Tutorial
  4. Is this even safe

Philosophy

me+code=secrets

For all the small shops out there, the low profile targets with a limited amount of individual developers involved, we suggest tracking your secrets alongside your code, in a file or folder database.

This will reduce sources of truth in your distributed system by 1 and help with "infrastructure as code" by making access to the secrets a local affair. You will not have to depend on any kind of remote infrastructure for your secrets.

This solution will not work well for you if you:

  • Have many developers (master-password strategy does not scale well)
  • High scale/complexity infra (a need for secrets as a service)
  • High profile shops (compliance reasons, need insurances)

In this database, you could store your AWS credentials or the ssh key you use to connect to your production. You could store secrets needed by your serving layer to authenticate with your database and push those using a tool like ansible or ssh.

Install

You will need cargo to install hips. Once you have it, do the following:

export PATH=$PATH:$HOME/.cargo/bin
cargo install hips
hips --help

Tutorial

In this tutorial you will learn about all the different commands and database formats that hips supports.

Database and password configuration

We use environment variables to pass the database and password to hips:

$ export HIPS_DATABASE=secrets.yaml
$ export HIPS_PASSWORD=pw

Store, Load, List, Remove, Rename

store takes a name and a secret and stores them in the database.

$ hips store aws_access_key_id BUIO1IXUAK3OQ9ACAHSX
$ hips store aws_secret_access_key UwioixhaklufhhWbaXoSLwbxb2dj7/AJs92bdsXh
$ cat secrets.yaml
---
- name: aws_access_key_id
  secret: c58C04qkTDQhg86piVlmg7EXcz66i3C3GSdHjmZW5v2Pa6Froo69gbuDNSICXh4w
  salt: OH3/mX3e/3ODwSLBYzFiK92PztSgLLmIf5S8mqenwXo=
- name: aws_secret_access_key
  secret: asrhBl8bMTPGj8Cua6LzyseRBLmhmNrivaCjW53NcNRUyKSYOkoLdq9PHSPHKdgosO6/acOn3hv+vnkciwLj0tio0ac=
  salt: 4GP2GtoRhaf6NKtanBm9aLjUefuNH+otFDFfHF1Utns=%

load takes a name and prints out the matching secret.

$ hips load aws_access_key_id
BUIO1IXUAK3OQ9ACAHSX
$ hips load aws_secret_access_key
UwioixhaklufhhWbaXoSLwbxb2dj7/AJs92bdsXh

list prints the names of the secrets stored in the db sorted alphabetically.

$ hips ls
aws_access_key_id
aws_secret_access_key

remove (rm) takes a name and removes that secret from the database.

$ hips store remove_me_soon unimportant-secret
$ hips ls
aws_access_key_id
aws_secret_access_key
remove_me_soon
$ hips remove remove_me_soon
$ hips ls
aws_access_key_id
aws_secret_access_key

rename renames a secret based on a (orig, dest) name pair

$ hips store move_me_please unimportant-secret
$ hips ls
aws_access_key_id
aws_secret_access_key
move_me_please
$ hips rename move_me_please thats_better
$ hips ls
aws_access_key_id
aws_secret_access_key
thats_better

Rotate

You can rotate (rot) the secrets database in one command, re-encrypting everything using a different password.

$ cat secrets.yaml | grep secret:
  secret: c58C04qkTDQhg86piVlmg7EXcz66i3C3GSdHjmZW5v2Pa6Froo69gbuDNSICXh4w
  secret: asrhBl8bMTPGj8Cua6LzyseRBLmhmNrivaCjW53NcNRUyKSYOkoLdq9PHSPHKdgosO6/acOn3hv+vnkciwLj0tio0ac=
$ hips rotate new-pw
$ cat secrets.yaml | grep secret:
  secret: Sb8BznQqjYr+q+lis2uVKPZ/j+qmNIMuXbjr/MElIAYkupyUCGHPbY+N/NTpTxKr
  secret: FlWQvkzidFa8mStgoEbQXt4MobHPQFT7NFnImKIjgfNZ7xFhPGjj3kD0z3x4YNzLTjBMJykk57JooYCojhOH/GlqeEk=
$ export HIPS_PASSWORD=new-pw
$ hips load aws_access_key_id
BUIO1IXUAK3OQ9ACAHSX

You can see here that the encrypted secrets and salt are different from the previous secrets.yaml database. We can now read all the secrets using the new password.

Template

Many times when exporting secrets to production, they need to be displayed in a specific manner, as part of a configuration file and such. We use the tiny template library for this purpose. See their neat syntax page for more information. We will cover our templating capabilities in the following two examples.

AWS credentials file

Let's generate the .aws/credentials, where amazon secrets are conventionally stored. We'll use the "map" feature of the templating framework, which allows us to print out specific secrets by name.

$ hips template '[default]\naws_access_key_id={map.aws_access_key_id}\naws_secret_access_key={map.aws_secret_access_key}'
[default]
aws_access_key_id=BUIO1IXUAK3OQ9ACAHSX
aws_secret_access_key=UwioixhaklufhhWbaXoSLwbxb2dj7/AJs92bdsXh

Shell script loading all secrets

This time, since our template is a bit more complex, we'll store it in a file:

$ cat shell-template
#!/bin/sh
{{ for secret in list -}}
{{- if not @first }}\n{{ endif -}}
export {secret.name|capitalize}={secret.secret};
{{- endfor -}}

You can find more information about this syntax here. This will yield the following shell script:

$ hips template shell-template
#!/bin/sh
export AWS_ACCESS_KEY_ID=BUIO1IXUAK3OQ9ACAHSX;
export AWS_SECRET_ACCESS_KEY=UwioixhaklufhhWbaXoSLwbxb2dj7/AJs92bdsXh;

Database formats

Up until now, we have been using a yaml file as database. We support multiple formats however:

  • As a directory hierarchy (no extension)
  • As a single yaml file (.yaml extension)

If we were to repeat the experiment above with a directory hierarchy under secrets/, our database would look like this:

$ tree secrets/
secrets
├── aws_access_key_id/
│   ├── salt
│   └── secret
└── aws_secret_access_key/
    ├── salt
    └── secret
$ cat secrets/aws_access_key_id/secret
Sb8BznQqjYr+q+lis2uVKPZ/j+qmNIMuXbjr/MElIAYkupyUCGHPbY+N/NTpTxKr

Safety

This project is using ring's pbkdf2 function to derive a proper key from a password and its aes256 implementation to encrypt/decrypt the secrets. In theory at least, those ciphers should not be brute-forceable. You can find an audit of the ring library by Cure53 here.

With this being said, it is still important to protect the encrypted version of our secrets from being public. If you store your secrets alongside your code, that responsibility then befalls your code provider (github for example.)

Ultimately, consider the following three characteristics:

  • Your profile (low-profile target, high-profile?)
  • Your threat-model (who do you accept to trust?)
  • Your compliance requirements (do you have PII data?)

You need to consider all those questions (and more) before deciding on a solution for your secrets management. It is advised that you consult with a security engineer as well.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].