{"id":27135431,"url":"https://github.com/dsa0x/sicher","last_synced_at":"2025-04-08T01:41:03.686Z","repository":{"id":45068004,"uuid":"424354692","full_name":"dsa0x/sicher","owner":"dsa0x","description":"Sicher is a go module that allows secure storage of encrypted credentials in a version control system.","archived":false,"fork":false,"pushed_at":"2023-08-03T20:11:09.000Z","size":7844,"stargazers_count":31,"open_issues_count":2,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-06-19T10:14:45.065Z","etag":null,"topics":["aes-encryption","env","environment-variables","go","secret-keys","secrets-management"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dsa0x.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-11-03T19:29:19.000Z","updated_at":"2023-03-26T11:49:31.000Z","dependencies_parsed_at":"2024-06-19T09:59:54.562Z","dependency_job_id":"350f060c-efb3-4a00-b433-6f4c5fbe9f9d","html_url":"https://github.com/dsa0x/sicher","commit_stats":null,"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsa0x%2Fsicher","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsa0x%2Fsicher/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsa0x%2Fsicher/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsa0x%2Fsicher/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dsa0x","download_url":"https://codeload.github.com/dsa0x/sicher/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247761051,"owners_count":20991533,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aes-encryption","env","environment-variables","go","secret-keys","secrets-management"],"created_at":"2025-04-08T01:41:03.172Z","updated_at":"2025-04-08T01:41:03.684Z","avatar_url":"https://github.com/dsa0x.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Sicher\n\nSicher is a Go implementation of the secret management system that was introduced in Ruby on Rails 6.\n\nSicher is a go package that allows the secure storage of encrypted credentials in a version control system. The credentials can only be decrypted by a key file, and this key file is not added to the source control. The file is edited in a temp file on a local system and destroyed after each edit.\n\nUsing sicher in a project creates a set of files\n\n- `environment.enc`\n  - This is an encrypted file that stores the credentials. Since it is encrypted, it is safe to store these credentials in source control.\n  - It it is encrypted using the [AES encryption](https://pkg.go.dev/crypto/aes) system.\n- `environment.key`\n  - This is the master key used to decrypt the credentials. This must not be committed to source control.\n\n## Installation\n\nTo use sicher in your project, you need to install the go module as a library and also as a CLI tool.\n\nInstalling the library,\n\n```shell\ngo get github.com/dsa0x/sicher\n```\n\nInstalling the command line interface,:\n\n```shell\ngo install github.com/dsa0x/sicher/cmd/sicher\n```\n\n## Usage\n\n**_To initialize a new sicher project_**\n\n```shell\nsicher init\n```\n\n**_Optional flags:_**\n\n| flag       | description                                                           | default | options        |\n| ---------- | --------------------------------------------------------------------- | ------- | -------------- |\n| -env       | set the environment name                                              | dev     |                |\n| -path      | set the path to the credentials file                                  | .       |                |\n| -style     | set the style of the decrypted credentials file                       | dotenv  | dotenv or yaml |\n| -gitignore | path to the gitignore file. the key file will be added here, if given |         |                |\n\nThis will create a key file `{environment}.key` and an encrypted credentials file `{environment}.enc` in the current directory. The environment name is optional and defaults to `dev`, but can be set to anything else with the `-env` flag.\n\n**_To edit the credentials:_**\n\n```shell\nsicher edit\n```\n\nOR\n\nto use the key from environment variable:\n\n```shell\nenv SICHER_MASTER_KEY=`{YOUR_KEY_HERE}` sicher edit\n```\n\n**_Optional flags:_**\n\n| flag    | description                                     | default | options        |\n| ------- | ----------------------------------------------- | ------- | -------------- |\n| -env    | set the environment name                        | dev     |                |\n| -path   | set the path to the credentials file            | .       |                |\n| -editor | set the editor to use                           | vim     |                |\n| -style  | set the style of the decrypted credentials file | dotenv  | dotenv or yaml |\n\nThis will create a temporary file, decrypt the credentials into it, and open it in your editor. The editor defaults to `vim`, but can be also set to other editors with the `-editor` flag. The temporary file is destroyed after each save, and the encrypted credentials file is updated with the new content.\n\nKnown good editors are:\n\n- code\n- emacs\n- gvim\n- mvim\n- nano\n- nvim\n- subl\n- vi\n- vim\n- vimr\n\nGraphical editors require a flag to instruct the CLI to wait for the editor to exit. Additional graphical editors can be supported by adding the binary name and flag to the `waitFlagMap` in `sicher.go`. Most CLI editors should work out of the box, but your mileage may vary.\n\nThen in your app, you can use the `sicher` library to load the credentials:\n\n```go\npackage main\nimport (\n\t\"fmt\"\n\n\t\"github.com/dsa0x/sicher/sicher\"\n)\n\ntype Config struct {\n\tPort        string `required:\"true\" env:\"PORT\"`\n\tMongoDbURI  string `required:\"true\" env:\"MONGO_DB_URI\"`\n\tMongoDbName string `required:\"true\" env:\"MONGO_DB_NAME\"`\n\tAppUrl   string `required:\"false\" env:\"APP_URL\"`\n}\n\nfunc main() {\n\tvar config Config\n\n\ts := sicher.New(\"dev\", \".\")\n\ts.SetEnvStyle(\"yaml\") // default is dotenv\n\terr := s.LoadEnv(\"\", \u0026cfg)\n\tif err != nil {\n\t\tfmt.Println(err)\n\t\treturn\n\t}\n}\n```\n\nThe `LoadEnv` function will load the credentials from the encrypted file `{environment.enc}`, decrypt it with the key file `{environment.key}` or the environment variable `SICHER_MASTER_KEY`, and then unmarshal the result into the given config object. The example above uses a `struct`, but the object can be of type `struct` or `map[string]string`.\n\n**_LoadEnv Parameters:_**\n\n| name   | description                             | type          |\n| ------ | --------------------------------------- | ------------- |\n| prefix | the prefix of the environment variables | string        |\n| config | the config object                       | struct or map |\n\nThe key also be loaded from the environment variable `SICHER_MASTER_KEY`. In production, storing the key in the environment variable is recommended.\n\nAll env files should be in the format like the example below:\n\nFor `dotenv`:\n\n```\nPORT=8080\nMONGO_DB_URI=mongodb://localhost:27017\nMONGO_DB_NAME=sicher\nAPP_URL=http://localhost:8080\n```\n\nFor `yaml`:\n\n```\nPORT:8080\nMONGO_DB_URI:mongodb://localhost:27017\nMONGO_DB_NAME:sicher\nAPP_URL:http://localhost:8080\n```\n\nIf the object is a struct, the `env` tag must be attached to each variable. The `required` tag is optional, but if set to `true`, it will be used to check if the field is set. If the field is not set, an error will be returned.\nAn example of how the struct will look like:\n\n```go\ntype Config struct {\n\tPort        string `required:\"true\" env:\"PORT\"`\n\tMongoDbURI  string `required:\"true\" env:\"MONGO_DB_URI\"`\n\tMongoDbName string `required:\"true\" env:\"MONGO_DB_NAME\"`\n\tAppUrl   string `required:\"false\" env:\"APP_URL\"`\n}\n```\n\nIf object is a map, the keys are the environment variables and the values are the values.\n\n### Note\n\n- Not tested with Windows.\n\n### Todo or not todo\n\n- Add a `-force` flag to `sicher init` to overwrite the encrypted file if it already exists\n- Enable support for nested yaml env files\n- Add support for other types of encryption\n- Test on windows\n\n### License\n\nMIT License\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdsa0x%2Fsicher","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdsa0x%2Fsicher","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdsa0x%2Fsicher/lists"}