{"id":48726200,"url":"https://github.com/byteness/keyring","last_synced_at":"2026-06-12T00:01:24.530Z","repository":{"id":295687657,"uuid":"990916392","full_name":"ByteNess/keyring","owner":"ByteNess","description":"Go library providing a uniform interface across a range of secure credential stores","archived":false,"fork":false,"pushed_at":"2026-06-11T22:14:17.000Z","size":775,"stargazers_count":18,"open_issues_count":1,"forks_count":10,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-06-11T22:14:19.011Z","etag":null,"topics":["credentials","keyring","keystore"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"99designs/keyring","license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ByteNess.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-05-26T21:01:02.000Z","updated_at":"2026-06-11T20:59:50.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ByteNess/keyring","commit_stats":null,"previous_names":["byteness/keyring"],"tags_count":52,"template":false,"template_full_name":null,"purl":"pkg:github/ByteNess/keyring","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ByteNess%2Fkeyring","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ByteNess%2Fkeyring/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ByteNess%2Fkeyring/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ByteNess%2Fkeyring/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ByteNess","download_url":"https://codeload.github.com/ByteNess/keyring/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ByteNess%2Fkeyring/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34222709,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-11T02:00:06.485Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["credentials","keyring","keystore"],"created_at":"2026-04-11T22:54:01.770Z","updated_at":"2026-06-12T00:01:24.521Z","avatar_url":"https://github.com/ByteNess.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"Keyring\n=======\n[![Build Status](https://github.com/byteness/keyring/workflows/Continuous%20Integration/badge.svg)](https://github.com/byteness/keyring/actions)\n[![Documentation](https://godoc.org/github.com/byteness/keyring?status.svg)](https://godoc.org/github.com/byteness/keyring)\n\n\u003e [!NOTE]\n\u003e This is a maintained fork of https://github.com/99designs/keyring which seems to be an abandoned project.\n\u003e Contributions are welcome, but keep in mind this is a side project and maintained on best effort basis!\n\nKeyring provides a common interface to a range of secure credential storage services. Originally developed as part of [AWS Vault](https://github.com/byteness/aws-vault), a command line tool for securely managing AWS access from developer workstations.\n\nCurrently Keyring supports the following backends\n * [macOS Keychain](https://support.apple.com/en-au/guide/keychain-access/welcome/mac) (with TouchID support 🎉)\n * [Windows Credential Manager](https://support.microsoft.com/en-au/help/4026814/windows-accessing-credential-manager)\n * [Windows Hello](https://support.microsoft.com/en-us/windows/configure-windows-hello-dae28983-8242-bb2a-d3d1-87c9d265a5f0)-gated encrypted Credential Manager backend\n * Secret Service ([Gnome Keyring](https://wiki.gnome.org/Projects/GnomeKeyring), [KWallet](https://kde.org/applications/system/org.kde.kwalletmanager5))\n * [KWallet](https://kde.org/applications/system/org.kde.kwalletmanager5)\n * [Pass](https://www.passwordstore.org/)\n * [Passage](https://github.com/FiloSottile/passage)\n * [Encrypted file (JWT)](https://datatracker.ietf.org/doc/html/rfc7519)\n * [KeyCtl](https://linux.die.net/man/1/keyctl)\n * [1Password Connect](https://developer.1password.com/docs/connect/)\n * [1Password Service Accounts](https://developer.1password.com/docs/service-accounts)\n * [1Password Desktop Application Integration](https://developer.1password.com/docs/sdks/desktop-app-integrations/)\n\n## Usage\n\nThe short version of how to use keyring is shown below.\n\n```go\nring, _ := keyring.Open(keyring.Config{\n  ServiceName: \"example\",\n})\n\n_ = ring.Set(keyring.Item{\n\tKey: \"foo\",\n\tData: []byte(\"secret-bar\"),\n})\n\ni, _ := ring.Get(\"foo\")\n\nfmt.Printf(\"%s\", i.Data)\n```\n\nTo configure TouchId biometrics:\n\n```go\nkeyring.Config.UseBiometrics = true\nkeyring.Config.TouchIDAccount = \"cc.byteness.aws-vault.biometrics\"\nkeyring.Config.TouchIDService = \"aws-vault\"\n```\n\n### Windows Hello backend\n\nThe `winhello` backend stores encrypted envelopes in Windows Credential Manager.\nThis may sound similar to the `wincred` backend, but the difference is encryption.\nHere, we don't store plaintext item data in Credential Manager. It is encrypted\nwith AES-256-GCM, and the content encryption key is wrapped by a Windows Hello /\nPassport KSP key and unwrapped through an interactive private-key operation.\n\nUpon the first use, a new Passport KSP key is created and stored in the user's\nprotected key store. This operation requires user interaction and Windows Hello\nauthentication. Later, whenever an item is accessed, the content encryption key\nis unwrapped by the Passport KSP key, which requires Windows Hello authentication\nagain. This means that every access to the stored secrets requires user presence\nand authentication through Windows Hello (using PIN, fingerprint, face ID, etc.).\n\nThis protects against silent reads of the stored Credential Manager blob. It\ndoes not protect against malware that can read process memory after a successful\nunlock, inject into an approved process, or steal credentials after they are\nhanded to a caller.\n\nTo use the Windows Hello backend on Windows:\n\n```go\nring, err := keyring.Open(keyring.Config{\n  ServiceName: \"example\",\n  AllowedBackends: []keyring.BackendType{\n    keyring.WinHelloBackend,\n  },\n})\nif err != nil {\n  return err\n}\n```\n\nFor more detail on the API please check [the keyring godocs](https://godoc.org/github.com/byteness/keyring)\n\n### Reducing the dependency surface (opt-out build tags)\n\nThe cross-platform backends compile into every build, whether or not you use\nthem, along with their dependency trees. If you know at build time that you\ndon't need a backend, an opt-out build tag excludes it (and its dependencies)\nfrom compilation:\n\n| Build tag | Backends removed | Headline dependencies dropped |\n|---|---|---|\n| `keyring_no1password` | `op`, `op-connect`, `op-desktop` | `onepassword-sdk-go` (incl. the `wazero` WebAssembly runtime), `connect-sdk-go` (incl. `jaeger-client-go`) |\n| `keyring_nofile` | `file` | `dvsekhvalnov/jose2go` |\n| `keyring_nopass` | `pass` | none (shells out to `pass`) |\n| `keyring_nopassage` | `passage` | none (shells out to `passage`) |\n\n```bash\ngo build -tags keyring_no1password ./...\n```\n\nThe platform-specific backends (`keychain`, `wincred`, `winhello`,\n`secret-service`, `kwallet`, `keyctl`) are already gated by GOOS constraints\nand need no tags. Default builds (no tags) are unaffected. An excluded backend\nis simply absent from `AvailableBackends()`, and requesting it explicitly\nreturns `ErrNoAvailImpl` — the same behavior as a backend that's unavailable\non the current platform. The `BackendType` constants and `Config` fields are\nalways present, so there is no API change under any tag.\n\n\n## Testing\n\n[Vagrant](https://www.vagrantup.com/) is used to create linux and windows test environments.\n\n```bash\n# Start vagrant\nvagrant up\n\n# Run go tests on all platforms\n./bin/go-test\n```\n\n## 🧰 Contributing\n\nReport issues/questions/feature requests on in the [issues](https://github.com/byteness/keyring/issues/new) section.\n\nFull contributing [guidelines are covered here](.github/CONTRIBUTING.md).\n\n## Maintainers\n\n* [Marko Bevc](https://github.com/mbevc1)\n* Full [contributors list](https://github.com/byteness/keyring/graphs/contributors)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbyteness%2Fkeyring","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbyteness%2Fkeyring","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbyteness%2Fkeyring/lists"}