{"id":42775078,"url":"https://github.com/easybill/vault","last_synced_at":"2026-01-29T22:05:31.390Z","repository":{"id":49760085,"uuid":"167941935","full_name":"easybill/vault","owner":"easybill","description":"share secrets with your team using git","archived":false,"fork":false,"pushed_at":"2025-08-05T11:46:28.000Z","size":235,"stargazers_count":9,"open_issues_count":0,"forks_count":1,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-08-05T13:30:57.420Z","etag":null,"topics":["git","openssl","secrets"],"latest_commit_sha":null,"homepage":"https://www.easybill.de","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/easybill.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-01-28T10:18:21.000Z","updated_at":"2025-08-05T11:46:31.000Z","dependencies_parsed_at":"2023-01-29T14:45:47.799Z","dependency_job_id":"38a3ef86-b2ee-45c9-b9da-fa645d9d8c16","html_url":"https://github.com/easybill/vault","commit_stats":null,"previous_names":[],"tags_count":27,"template":false,"template_full_name":null,"purl":"pkg:github/easybill/vault","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/easybill%2Fvault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/easybill%2Fvault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/easybill%2Fvault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/easybill%2Fvault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/easybill","download_url":"https://codeload.github.com/easybill/vault/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/easybill%2Fvault/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28886886,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-29T21:06:44.224Z","status":"ssl_error","status_checked_at":"2026-01-29T21:06:42.160Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["git","openssl","secrets"],"created_at":"2026-01-29T22:05:30.786Z","updated_at":"2026-01-29T22:05:31.383Z","avatar_url":"https://github.com/easybill.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vault\n\nSmart and easy way to share secrets in repositories.\n\n## Install with [cargo](https://doc.rust-lang.org/stable/cargo/getting-started/installation.html)\n\n```sh\ncargo install --git https://github.com/easybill/vault.git\n```\n\n## Download\n\nYou can download the latest binaries from the [releases page](https://github.com/easybill/vault/releases) or use these\npermalinks for the latest version:\n\n- [vault_linux_latest_x86_64](https://github.com/easybill/vault/releases/latest/download/vault_ubuntu-latest_x86_64)\n- [vault_linux_latest_aarch64](https://github.com/easybill/vault/releases/latest/download/vault_ubuntu-latest_aarch64)\n- [vault_mac_latest_aarch64](https://github.com/easybill/vault/releases/latest/download/vault_mac_aarch64)\n- [vault_mac_x86_64](https://github.com/easybill/vault/releases/latest/download/vault_mac_x86_64)\n\n## Quickstart\n\n### Create a new user (each user has his own key)\n\n```sh\nvault create-openssl-key [USERNAME]\n```\n\n### Create a new Secret\n\n```sh\n# To create a new secret just put the file into the Secrets folder. The file name will later become the name of the secret.\necho \"this is secret\" \u003e ./.vault/secrets/MY_NEW_SECRET\n\n# now just call vault and it will find the unencrypted secret and ask if you want to encrypt it.\nvault\n\n# do you want to add the new secret ./.vault/secrets/MY_NEW_SECRET (y/n)\n# press y and your secret is encrypted.\n\n# get the secret\nvault get MY_NEW_SECRET # prints \"this is secret\"\n```\n\n### Sharing the Secret\n\nJust add the secret in the file `./vault/keys/[USER]/config.toml` as a subscription:\n\n```toml\nsubscriptions = [\n    \"MY_NEW_SECRET\", # Glob patterns are supported. e. g. DEV*\n]\n```\n\nand now run vault:\n\n```sh\nvault\n```\n\nVault now detects that there is an open subscription to a secret that you can fulfill.\n\nTip: if you do not have access to a secret, but would like to have it, you can also create a subscription.\nSomeone who runs `vault` and has the appropriate access will be asked by vault whether they would like to share this\nsecret with you.\n\n### Parse template with encrypted placeholders\n\nvault can replace placeholders in templates (UFT8).\n\nThe placeholders have the structure: `{vault{ KEY }vault}`.\n\n```sh\nvault template ./example_template\n// oder\nvault template ./example_template 1\u003e example_template_decoded\n```\n\nVault throws an error if keys cannot be replaced.\n\n** Attention: ** Vault may generate an error output if it stumbles e.g. over files which it cannot process.\nTherefore, always pass only the stdout `1\u003e` in a template.\n\n### Fetching multiple secrets\n\nSometimes you need to fetch multiple secrets / templates. Vault speaks json.\nYou can fetch multiple secrets and templates in a single vault call.\nThe secret must be valid uf8 (for now), please open an issue if you need binary support.\n\n```sh\nvault get_multi '{\"secrets\": [{\"secret\": \"foo\"}], \"templates\": [{\"template\": \"{vault{ foo }vault}TEST\"}]}'\n```\n\n### Enforce vault versions using --expect_version=[VERSION_REQUIREMENT]\n\nVault is usually installed on the computers of all employees. if you have a script that calls vault underneath,\nyou may want to be able to force certain vault versions. maybe there was a bug in vault or a feature is being used\nthat is only available in this version. you can use the semver requirement syntax.\n\nExample:\n\n```sh\nvault --expect_version='\u003e=1.2.3, \u003c1.8.0' get foo\n```\n\nIf the version requirement does not match with your vault version, you'll get an error prompt and help, how to update\nvault.\n\n### Rotate your own key\n\nyou can rotate your own private key.\n\n```sh\nvault rotate\n```\n\n### Overriding the Private Key Directory\n\nBy default, vault will look up `~/.vault/private_keys` and `~/.vault/private_keys`.\nYou can overwrite the directory using the environment variable `VAULT_PRIVATE_KEY_PATH`\n\n```sh\nVAULT_PRIVATE_KEY_PATH=[PATH] vault get foo\n```\n\n### How it works?\n\nVault makes it possible to share encrypted information, for example in a git repository in a team.\nVault behaves like a key-value store, the values are encrypted, the keys are not.\nIt is possible to define rights in a fine granular way. Anyone who has access to a value can share this access.\n\nVault is based on OpenSSL keys - please do not confuse them with OpenSSH keys. There are differences here :).\nThe Vault public key of each user (or for example of a user representing a web server) is stored in the `.vault`\ndirectory.\nBecause the public key of each user is known, each user has the possibility to store secrets.\nFor each user who should have access to a key, it is encrypted once using his vault public key.\n\nTo encrypt a file/string put it in `./.vault/secrets/[KEY]` and run `vault`.\nVault notices this and suggests to encrypt the corresponding file. If you confirm this, the file will be replaced by a\nfolder with the same name.\n`./.vault/secrets/[KEY]` becomes `./.vault/secrets/[KEY]/[USER].crypt`. For each user who has access to a key, such a\nfile is created.\n\nWith `vault get [KEY]` the content can be decrypted and output.\n\nNow the key is encrypted, but you only have access to it yourself. To give another user access to the key, you create a\nsubscription. This sounds complicated, but it is quite simple. Simply add a subscription entry for the key in\n`./vault/keys/[USER]/config.toml` for the user.\nThen run `./vault`, then you will be informed that there is an open subscription, which you can fulfill yourself.\nIf you confirm this with \"y\" the key will be encrypted for the user using his public key and stored as usual under\n`./.vault/secrets/[KEY]/[USER].crypt`.\nThe user now has the possibility to query the key and to fulfill subscriptions to this key himself if required.\n\nIt is important to understand that everyone has the possibility to modify subscriptions and thus can see who has access\nto which data.\nAnyone who has access to an encrypted entry can share it. This allows for example flows like the following:\n\"Person A\" wants \"Webserver\" to have access to the key \"production_mysql_pass\", but has no access himself.\n\"Person A\" now has the ability to add a subscription (`./vault/keys/webserver/config.toml`) and push it using git.\n\"Person A\" can now ask \"Person B\" who has access to the corresponding key to run `vault` and answer with a simple \"y\"\nthe question,\nIf \"webserver\" is allowed to get access to the corresponding key.\nIt should be noted that person A never had access to the key, but can monitor the process that the web server gets it.\n\n### Cryptography\n\nStructure of a Vault (.crypt) file (version 1):\n\n```            \n +------------------------+\n |    HEADER              |\n |                        |\n +------------------------+\n |    KEY                 |\n |    8096 bit RSA        |\n +------------------------+\n |                        |\n |    CONTENT             |\n |    RSA 256CBC          |\n |                        |\n |                        |\n +------------------------+\n\n```\n\nVault encrypts the actual content (CONTENT) symmetrically via aes_256_cbc (+iv).\nThe key (KEY) to decrypt the content is encrypted asymmetrically via RSA (private/public key) and is chosen randomly.\nSimilar concept uses TLS -\u003e TLS Key Exchange.\n\nThis theoretically allows to encrypt files of any size.\nCurrently, the size is limited, this can be relaxed later if necessary.\n\n# PGP / GPG + Smart Cards\n\nVault supports pgp encrypted private keys.\nIf vault comes across such a private key which has .pgp as file extension, vault tries to decrypt it using:\n\n```sh\ngpg --decrypt ./.vault/private_keys/[username].pem.pgp`.\n```\n\nAuthentication with a yubikey could then take place here, for example. The secrets themselves are not encrypted via gpg,\nbut the private key for decrypting the secrets can be protected in this way. Ideally with a smartcard / yubikey / ... .\n\nExample:\n\n```sh\n# without pgp:\n./.vault/private_keys/[username].pem\n\n# with pgp:\n./.vault/private_keys/[username].pem.pgp\n\n# list your keys:\ngpg --list-keys\n\ngpg --trust-model always --encrypt --recipient \"[YOUR_KEY]\" -o ./.vault/private_keys/[USERNAME].pem.pgp ./.vault/private_keys/USERNAME.pem\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feasybill%2Fvault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feasybill%2Fvault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feasybill%2Fvault/lists"}