Simple encrypted credential file management with GPG.
I have a lot of different sensitive environment variables to juggle. API keys, tokens, usernames, passwords, etc. I had been using simple shell scripts to set environment variables when needed, eg:
$ cat ~/Dropbox/creds/aws-work.sh export AWS_ACCESS_KEY_ID=foo export AWS_SECRET_ACCESS_KEY=bar $ source ~/Dropbox/creds/aws-work.sh $ echo $AWS_ACCESS_KEY_ID foo $ s3cmd ...
But I don’t like storing these in plaintext on Dropbox.
Thus, how about a simple way to encrypt/decrypt these as needed with GPG?
- bash >= 3.2
- gpg (tested with 2.0 and 2.1 but might work with 1.4)
Tested on Mac OSX 10.11 with
gpg2 installed from homebrew, but should work on most platforms with the above requirements.
Several options for installation, in order of recommendation:
- Using homebrew, install latest tagged release:
$ brew install joemiller/taps/creds
- Using homebrew, install master branch:
$ brew install joemiller/taps/creds --HEAD
- Or, clone and run
$ git clone https://github.com/joemiller/creds.git $ cd creds ; make install
- Or, curl install!
$ curl https://raw.githubusercontent.com/joemiller/creds/master/creds >./creds $ chmod +x ./creds
If you’re on OSX you may need to install GPG and create a keypair. You have a few options:
brew install gpg2 gpg-agent
- Install GPG Suite from https://gpgtools.org/
gpg2 --gen-key to generate a new keypair if you don’t already have one.
- If installed via homebrew:
brew uninstall creds
- If installed from
make install: Run
$ creds -h usage: creds [-h|--help] [-v|--version] <subcommand> [arguments] Simple encrypted credential file management with GPG. The most commonly used subcommands are: list list available credential stores edit edit a credential store import import an existing file into a new credential store set display commands to set credentials from a credential store unset display commands to unset credentials from a credential store
creds reads configuration from
~/.credsrc file, eg:
CREDS_DIR: A directory where encrypted credentials files will be stored.
GPG_KEY: The GPG key to use for encrypting credentials. Use
gpg -Kto list keys.
GPG_BIN: Path to GPG bin to use. If not set,
credswill look for
gpgin the path, preferring
Creating a new credential store / Editing existing credential store
edit command will create a new credential store if one does not exist yet.
The format of credential stores is single line
KEY=val environment variable style lines. All other lines will be ignored when using the
$ creds edit aws-work < .. $EDITOR launches .. > AWS_ACCESS_KEY_ID=foo AWS_SECRET_ACCESS_KEY=bar
Listing credential stores
$ creds list Credential storage dir: /Users/joe/Dropbox/creds - aws-work - misc - digitalocean
set command to print the contents of a credential store.
Usually you will wrap this with
eval to set the credentials in your shell’s environment.
$ creds set aws-work export AWS_ACCESS_KEY_ID=foo export AWS_SECRET_ACCESS_KEY=bar $ eval $(creds set aws-work) $ echo $AWS_ACCESS_KEY_ID foo
unset command to unset the credentials. This should also be used with
$ creds unset aws-work unset AWS_ACCESS_KEY_ID $ eval $(creds unset aws-work)
Importing an existing plaintext file
$ cat ./circleci.keys CIRCLE_TOKEN=foo $ creds import ./circleci.keys Encrypting './circleci.keys' to '/Users/joe/Dropbox/creds/circleci.keys.gpg'
Developing & Testing
brew install bats)
brew install shellcheck)
make help to get a list of tasks.
- maybe make it work with the
keybasecommands too? but don’t introduce a dependency on keybase.
- Rewrite in go, optionally using gpg library? Unlikely as this is intended to be a simple tool and already has very few external dependencies (only bash 3.2+ and gpg) but it would be a fun rewrite.
joe miller, 2016
转载本站任何文章请注明：转载至神刀安全网，谢谢神刀安全网 » Creds, manage API keys with GPG on the command line