{"id":36496035,"url":"https://github.com/drmdrew/syncrets","last_synced_at":"2026-01-12T02:03:59.616Z","repository":{"id":57525281,"uuid":"92664604","full_name":"drmdrew/syncrets","owner":"drmdrew","description":"Rsync-like utility to sync/transfer secrets between vault servers and formats like ejson","archived":false,"fork":false,"pushed_at":"2018-09-10T00:12:14.000Z","size":17,"stargazers_count":5,"open_issues_count":2,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-06-20T16:41:48.882Z","etag":null,"topics":["devops","golang","secret-management","secrets","vault"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/drmdrew.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null}},"created_at":"2017-05-28T14:00:13.000Z","updated_at":"2024-01-13T23:56:48.000Z","dependencies_parsed_at":"2022-09-19T11:00:35.509Z","dependency_job_id":null,"html_url":"https://github.com/drmdrew/syncrets","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/drmdrew/syncrets","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drmdrew%2Fsyncrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drmdrew%2Fsyncrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drmdrew%2Fsyncrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drmdrew%2Fsyncrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/drmdrew","download_url":"https://codeload.github.com/drmdrew/syncrets/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/drmdrew%2Fsyncrets/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28331510,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T00:36:25.062Z","status":"online","status_checked_at":"2026-01-12T02:00:08.677Z","response_time":98,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devops","golang","secret-management","secrets","vault"],"created_at":"2026-01-12T02:01:16.698Z","updated_at":"2026-01-12T02:03:59.611Z","avatar_url":"https://github.com/drmdrew.png","language":"Go","readme":"# syncrets\n*WIP*: This project is a *WORK IN PROGRESS*, so consider it useful for\nexperimentation but not ready for production use. Use at your own risk\nbut if you *do* use it I would love to hear what you think so please\nlog issues for anything you would like to see fixed/improved.\n\nsyncrets is a little utility for synchronizing secrets between systems like\n[Hashicorp vault][VAULT] and formats like [ejson][EJSON]. Think of it like an\n_rsync for secrets_. Secrets need to be handled carefully and syncrets can\nhelp transfer, list, export, and otherwise manage secrets between systems\nand formats. The name `syncrets` is a portmanteau of `secrets` and `sync` ...\nobligatory [xkcd][XKCD-739].\n\nHere is a simple example of using syncrets to copy secrets between two\nvault servers running locally:\n```\nsyncrets sync vault://vault-a/secrets/ vault://vault-b/secrets/\n```\n\n## syncrets config file\n\nTo faciliate working with multiple vaults, syncrets looks for a `syncrets.yml`\nconfiguration file in the working directory as well as `~/.syncrets/syncrets.yml`.\nHere is an example:\n\n```\nvault:\n    vault-a:\n        url: \"http://localhost:8200\"\n        auth:\n            method: token\n        token:\n            file: ~/.syncrets/.vault-a-token\n    vault-b:\n        url: \"http://localhost:8201\"\n        auth:\n            method: token\n        token:\n            file: ~/.syncrets/.vault-b-token\n```\nUsing a configuration file allows you to refer to servers using the name\n(alias) present in their section of the configuration file, so you can\nrefer to `vault://vault-a/secrets` rather than `http://localhost:8200/secrets`.\n\nThis example configuration file configures syncrets to reach `vault-a` using\n`http://localhost:8200` and to reach `vault-b` using `http://localhost:8201`\nwhich saves you from having to type out the full scheme, hostname, and port\nwhen building URLs to pass to syncrets. The configuration also tells syncrets to\nload vault auth tokens from file (assuming that these tokens have been obtained\npreviously).\n\n## syncrets ejson\n\nsyncrets can directly `sync` secrets between two vault servers but can also\nbe used to `sync` secrets to a local file (preferrably in ejson format ...\nthese are _secrets_ after all).\n\nIf the source or target of a syncrets `sync` ends with `.ejson` then\nsyncrets will use the `ejson` configuration section of `syncrets.yml` to\nconfigure the default encryption public key to use:\n```\nejson:\n    public_key:   a9d52487a1232e5c292a9680f4a44a84ea302ba05ff12d2e9d11662d20fc0139\n```\n\nFor both encryption and decryption syncrets assumes that the ejson `EJSON_KEYDIR`\nenvironment has been set if the ejson keys are not present in their default location.\n\n*Example*:\n```\nsyncrets sync vault://vault-a/secret/ ./secrets.ejson\n```\n\nNote: syncrets will write _unencrypted_ secrets to files ending with `.json` but\nthis regular JSON format is included primarily for testing/debugging purposes and\nshouldn't be used for anything that is sensitive if the underlying filesystem isn't\ntrustworthy.\n\n## syncrets commands\n### auth\nThe `auth` command allows you to confirm that the authentication method being\nused for a vault server is valid. If the authentication is invalid, the\nsyncrets `auth` command may prompt the user to reauthenticate using the\nauthentication method configured for the server.\n\n### list\nTo recursively list the secrets (just the keys, no values) of a vault server\nrunning on localhost you can use the `list` command:\n```\nsyncrets list vault://localhost:8200/secrets/\n```\n\n### sync\nTo recursively copy the secrets between two vault servers running on localhost\nyou can use the `sync` command:\n```\nsyncrets sync vault://localhost:8200/secrets/foo/ vault://localhost:8201/secrets/bar/\n```\n\n### rm\nTo recursively remove secrets of a vault server running on localhost you can\nuse the `rm` command:\n```\nsyncrets rm vault://localhost:8200/secrets/\n```\n*CAUTION*: Use the `rm` command _carefully_, it can be a potent footgun.\n\n[VAULT]: https://www.vaultproject.io/\n[EJSON]: https://github.com/Shopify/ejson\n[XKCD-739]: https://xkcd.com/739/\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdrmdrew%2Fsyncrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdrmdrew%2Fsyncrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdrmdrew%2Fsyncrets/lists"}