secretgarden is a self-contained CLI that generates and securely stores secrets like the following:
- Passwords
- SSH keys
- TLS/X.509 certificates (coming soon)
- Opaque values
It's made for sysadmins that manage a small set of systems by themselves. Secrets are kept safe with a key derived from your SSH key (in concert with NaCl's secretbox and the argon2 hash).
The interaction model is strongly inspired by a credential server called CredHub, where an automated deployment tool can ask for a secret that is: - Securely stored - Automatically generated if it does not exist - Re-generated if the secret's options have changed - Easy to generate based on other certificates (CAs with child certificates, for instance)
Currently, secretgarden can only be installed from source. Install Rust via rustup or
OS packages, then run $ cargo install --path . from inside this directory. (Make sure that ~/.cargo/bin is in your $PATH.)
Before getting started, make sure that you have ssh-agent running, and that you've added keys to it:
$ ssh-add -l
256 SHA256:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA me@home (ED25519)
...
If $ ssh-add -l returns nothing, then add your SSH key with $ ssh-add.
Note: only RSA and ED25519 keys are accepted. DSA and ECDSA keys generate random signatures, making them unusable for key derivation.
If it returns an error, you likely aren't running ssh-agent. You can start it for your current
shell with $ eval $(ssh-agent), but should probably add that command to your login script.
Secrets are retrieved via subcommands of secretgarden. For instance, to retrieve a 32-character
random password named mysql-root-password, run:
shell
$ secretgarden password mysql-root-password --length 32
nEIn5JwTCpaIrGGpCehuP6rVbCgKLWow
If this password doesn't exist, it will be generated and stored.
SSH keys can be generated similarly:
shell
$ secretgarden ssh-key jumpbox-ssh-key
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
The public key can be retrieved with --public:
shell
$ secretgarden ssh-key jumpbox-ssh-key --public
ssh-ed25519 ...
Some secrets might be dictated to you (API tokens, etc.), but it can still be useful to store them alongside generated secrets.
Opaque (non-generated) values can be set with secretgarden set-opaque and retrieved with secretgarden
opaque:
shell
$ secretgarden set-opaque api-token
<enter secret value>
$ secretgarden opaque api-token
<your secret value>