{"id":36420723,"url":"https://github.com/eonian-technologies/secrets-locker","last_synced_at":"2026-01-11T17:33:58.070Z","repository":{"id":57719080,"uuid":"106867068","full_name":"eonian-technologies/secrets-locker","owner":"eonian-technologies","description":"The Eonian Secrets Locker provides in-app decryption of encrypted secrets at runtime. Encrypted secrets can be on the class path, the file system, or in AWS S3. Secrets are decrypted into Java Strings or Properties. Their plaintext is not written to disk. The library provides interfaces which can be implemented by different encryption providers.","archived":false,"fork":false,"pushed_at":"2018-04-22T23:14:00.000Z","size":54,"stargazers_count":4,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-07-13T08:25:05.184Z","etag":null,"topics":["aws","aws-encryption-sdk","aws-kms","decrypt-secrets","decryption","encrypt-secrets","encryption","envelope-encryption","secret-management","secrets","secrets-locker"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eonian-technologies.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-10-13T19:48:04.000Z","updated_at":"2024-01-13T23:57:21.000Z","dependencies_parsed_at":"2022-08-27T16:26:39.042Z","dependency_job_id":null,"html_url":"https://github.com/eonian-technologies/secrets-locker","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/eonian-technologies/secrets-locker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eonian-technologies%2Fsecrets-locker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eonian-technologies%2Fsecrets-locker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eonian-technologies%2Fsecrets-locker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eonian-technologies%2Fsecrets-locker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eonian-technologies","download_url":"https://codeload.github.com/eonian-technologies/secrets-locker/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eonian-technologies%2Fsecrets-locker/sbom","scorecard":{"id":378682,"data":{"date":"2025-08-11","repo":{"name":"github.com/eonian-technologies/secrets-locker","commit":"0747b82de31bbf34ff0642649c76d97e638f9282"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":1.7,"checks":[{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Code-Review","score":0,"reason":"Found 0/20 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":0,"reason":"63 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-6v67-2wr5-gvf4","Warn: Project is vulnerable to: GHSA-pr98-23f8-jwxv","Warn: Project is vulnerable to: GHSA-55xh-53m6-936r","Warn: Project is vulnerable to: GHSA-gvc7-gjrw-hj65","Warn: Project is vulnerable to: GHSA-wqgp-vphw-hphf","Warn: Project is vulnerable to: GHSA-c28r-hw5m-5gv3","Warn: Project is vulnerable to: GHSA-h46c-h94j-95f3","Warn: Project is vulnerable to: GHSA-wf8f-6423-gfxg","Warn: Project is vulnerable to: GHSA-288c-cq4h-88gq","Warn: Project is vulnerable to: GHSA-4gq5-ch57-c2mg","Warn: Project is vulnerable to: GHSA-4w82-r329-3q67","Warn: Project is vulnerable to: GHSA-57j2-w4cx-62h2","Warn: Project is vulnerable to: GHSA-5949-rw7g-wx7w","Warn: Project is vulnerable to: GHSA-5r5r-6hpj-8gg9","Warn: Project is vulnerable to: GHSA-5ww9-j83m-q7qx","Warn: Project is vulnerable to: GHSA-645p-88qh-w398","Warn: Project is vulnerable to: GHSA-6fpp-rgj9-8rwc","Warn: Project is vulnerable to: GHSA-85cw-hj65-qqv9","Warn: Project is vulnerable to: GHSA-89qr-369f-5m5x","Warn: Project is vulnerable to: GHSA-8c4j-34r4-xr8g","Warn: Project is vulnerable to: GHSA-8w26-6f25-cm9x","Warn: Project is vulnerable to: GHSA-9gph-22xh-8x98","Warn: Project is vulnerable to: GHSA-9m6f-7xcq-8vf8","Warn: Project is vulnerable to: GHSA-c8hm-7hpq-7jhg","Warn: Project is vulnerable to: GHSA-cf6r-3wgc-h863","Warn: Project is vulnerable to: GHSA-cggj-fvv3-cqwv","Warn: Project is vulnerable to: GHSA-cjjf-94ff-43w7","Warn: Project is vulnerable to: GHSA-cmfg-87vq-g5g4","Warn: Project is vulnerable to: GHSA-cvm9-fjm9-3572","Warn: Project is vulnerable to: GHSA-f3j5-rmmp-3fc5","Warn: Project is vulnerable to: GHSA-f9xh-2qgp-cq57","Warn: Project is vulnerable to: GHSA-fmmc-742q-jg75","Warn: Project is vulnerable to: GHSA-fqwf-pjwf-7vqv","Warn: Project is vulnerable to: GHSA-gjmw-vf9h-g25v","Warn: Project is vulnerable to: GHSA-gwp4-hfv6-p7hw","Warn: Project is vulnerable to: GHSA-gww7-p5w4-wrfv","Warn: Project is vulnerable to: GHSA-h3cw-g4mq-c5x2","Warn: Project is vulnerable to: GHSA-h592-38cm-4ggp","Warn: Project is vulnerable to: GHSA-h822-r4r5-v8jg","Warn: Project is vulnerable to: GHSA-jjjh-jjxp-wpff","Warn: Project is vulnerable to: GHSA-m6x4-97wx-4q27","Warn: Project is vulnerable to: GHSA-mph4-vhrx-mv67","Warn: Project is vulnerable to: GHSA-mx7p-6679-8g3q","Warn: Project is vulnerable to: GHSA-p43x-xfjf-5jhr","Warn: Project is vulnerable to: GHSA-q93h-jc49-78gg","Warn: Project is vulnerable to: GHSA-qjw2-hr98-qgfh","Warn: Project is vulnerable to: GHSA-qr7j-h6gg-jmgc","Warn: Project is vulnerable to: GHSA-r3gr-cxrf-hg25","Warn: Project is vulnerable to: GHSA-r695-7vr9-jgc2","Warn: Project is vulnerable to: GHSA-rfx6-vp9g-rh7v","Warn: Project is vulnerable to: GHSA-rgv9-q543-rqg4","Warn: Project is vulnerable to: GHSA-rpr3-cw39-3pxh","Warn: Project is vulnerable to: GHSA-v585-23hc-c647","Warn: Project is vulnerable to: GHSA-vfqx-33qm-g869","Warn: Project is vulnerable to: GHSA-w3f4-3q6j-rh82","Warn: Project is vulnerable to: GHSA-wh8g-3j2c-rqj5","Warn: Project is vulnerable to: GHSA-j288-q9x7-2f5v","Warn: Project is vulnerable to: GHSA-7r82-7xv7-xcpj","Warn: Project is vulnerable to: GHSA-6xx3-rg99-gc3p","Warn: Project is vulnerable to: GHSA-72m5-fvvv-55m6","Warn: Project is vulnerable to: GHSA-hr8g-6v94-x4m9","Warn: Project is vulnerable to: GHSA-wjxj-5m7g-mg7q","Warn: Project is vulnerable to: GHSA-264p-99wq-f4j6"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-18T14:52:19.907Z","repository_id":57719080,"created_at":"2025-08-18T14:52:19.907Z","updated_at":"2025-08-18T14:52:19.907Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28315879,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-11T14:58:17.114Z","status":"ssl_error","status_checked_at":"2026-01-11T14:55:53.580Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-encryption-sdk","aws-kms","decrypt-secrets","decryption","encrypt-secrets","encryption","envelope-encryption","secret-management","secrets","secrets-locker"],"created_at":"2026-01-11T17:33:57.429Z","updated_at":"2026-01-11T17:33:58.055Z","avatar_url":"https://github.com/eonian-technologies.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Eonian Secrets Locker\nThe Eonian Secrets Locker provides in-app decryption of encrypted secrets at runtime. Encrypted secrets can be on the class path, the file system, or in AWS S3. Secrets are decrypted into Java Strings or Properties. Their plaintext is not written to disk. The library provides interfaces which can be implemented by different encryption providers. \n\n**Currently the only implemented provider is AWS KMS via the AWS Encryption SDK.**\n\n\n### Maven Dependency\n```\n\u003cdependency\u003e\n    \u003cgroupId\u003ecom.eoniantech\u003c/groupId\u003e\n    \u003cartifactId\u003esecrets-locker\u003c/artifactId\u003e\n    \u003cversion\u003e1.2\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\n### Using The AWS KMS Provider\n[The AWS Encryption SDK](https://github.com/awslabs/aws-encryption-sdk-java) provides a framework and [message format]( http://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/message-format.html) for envelope encryption. Envelope encryption is used to encrypt a file using a KMS data key. That data key is then encrypted with regional KMS Customer Master Keys. Each regionally encrypted data key is then stored in the encrypted message. When decrypting, the appropriate regional CMK is used to decrypt the data key, and the data key is then used to decrypt the file. In other words, encrypt once - decrypt from anywhere.\n\n#### Encrypting Secrets\nThe [mrcrypt](https://github.com/aol/mrcrypt) command-line tool encrypts secrets which conform to the AWS Encryption SDK's message format. In the following example, KMS CMKs with the alias `mykey` exist in `us-east-1`, `us-west-2` and `eu-west-1` - and the file called `secret.txt` contains the plaintext that needs to be encrypted. When executing this command, AWS credentials with permission to encrypt using each of the KMS CMKs must be found in the AWS credentials chain (environment variables, user home directory, instance profile, etc).\n```\n$ mrcrypt encrypt -r us-east-1 us-west-2 eu-west-1 -- alias/mykey secret.txt\n```\nBecause `mrcrypt` follows the AWS Encryption SDK's message format, the resulting file called `secret.txt.encrypted` can be decrypted by the Eonian Secrets Locker from each of the regions specified. When decrypting, AWS credentials with permission to decrypt using the regional CMK must be found in the credentials chain.\n\n#### Decrypting Secrets\nThere are several types of in-app lockers. Choose the Secrets Locker that best fits your use case.\n\n**Class Path Secrets Locker**\u003c/br\u003e\nEncrypted secrets must exist on the class path. Existence checks are made when secrets are added.\n```\n// Create the locker.\nSecretsLocker secretsLocker = new ClassPathSecretsLocker();\n  \n// Add encrypted secrets.\nsecretsLocker.add(\"SecretText\", \"secret.txt.encrypted\");\nsecretsLocker.add(\"SecretProperties\", \"secret.properties.encrypted\");\n\n// Decrypt secrets into Java objects.\nString secretText = secretsLocker.get(\"SecretText\");\nProperties secretProperties = secretsLocker.getAsProperties(\"SecretProperties\");\n\n```\n\n**File System Secrets Locker**\u003c/br\u003e\nEncrypted secrets must exist in the specified directory. Existence checks are made when secrets are added.\n```\n// Create the locker.\nSecretsLocker secretsLocker = new FileSystemSecretsLocker(“/var/secrets/myapp\");\n  \n// Add encrypted secrets.\nsecretsLocker.add(\"SecretText\", \"secret.txt.encrypted\");\nsecretsLocker.add(\"SecretProperties\", \"secret.properties.encrypted\");\n\n// Decrypt secrets into Java objects.\nString secretText = secretsLocker.get(\"SecretText\");\nProperties secretProperties = secretsLocker.getAsProperties(\"SecretProperties\");\n```\n\n**S3 Secrets Locker**\u003c/br\u003e\nEncrypted secrets must exist in the specified S3 bucket at the specified path. When the locker is created, an AWS call is made to check the existence of the bucket. Existence checks are NOT made when secrets are added to the locker.\n```\n// Create the locker.\nSecretsLocker secretsLocker = new S3SecretsLocker(\"MyBucket\",\"path/to/secrets\");\n  \n// Add encrypted secrets.\nsecretsLocker.add(\"SecretText\", \"secret.txt.encrypted\");\nsecretsLocker.add(\"SecretProperties\", \"secret.properties.encrypted\");\n\n// Decrypt secrets into Java objects.\nString secretText = secretsLocker.get(\"SecretText\");\nProperties secretProperties = secretsLocker.getAsProperties(\"SecretProperties\");\n```\nWhen the `get` method is called, the encrypted secret is downloaded from S3 and written to the local locker.\n\n### Spring Integration\nYou can use the Secrets Locker in your Spring Java Configuration to load secret properties into your `PropertySourcesPlaceholderConfigurer`. The following example loads secret properties from AWS S3, based on the environment the application is launched in. E.g., dev, stage, prod, etc.\n\n```\n@Configuration\npublic class MySpringConfigurationClass {\n\n    @Bean\n    public static SecretsLocker secretsLocker(\n            Environment environment) {\n            \n        // Create the locker.\n        SecretsLocker secretsLocker \n                = new S3SecretsLocker(\n                        \"MyBucket\",\n                        \"path/to/secrets\");\n                \n        // Get the current environment.\n        String env\n                = environment\n                        .getRequiredProperty(\n                                \"com.myco.env\");\n                                \n        // Build the secret's filename.\n        String secretPropertiesFilename\n                = new StringBuilder()\n                        .append(\"secret-\")\n                        .append(env)\n                        .append(\".properties.encrypted\")\n                        .toString();\n                        \n        // Add the file to the locker.\n        secretsLocker.add(\n                \"SecretProperties\", \n                secretPropertiesFilename);\n                \n        return secretsLocker;\n    }\n\n    @Bean\n    public static PropertySourcesPlaceholderConfigurer pspc(\n            SecretsLocker secretsLocker) {\n\n        PropertySourcesPlaceholderConfigurer pspc\n                = new PropertySourcesPlaceholderConfigurer();\n        \n        pspc.setProperties(\n                secretsLocker\n                        .getAsProperties(\n                                \"secretProperties\"));\n\n        pspc.setLocalOverride(true);\n\n        return pspc;\n    }\n}\n```\n\n### Best Practices\n* Do not call `get` on the same secret multiple times. Each call will result in decryption. Instead, call `get` once and keep a reference to the object.\n\n### Snapshots Repository\n```\n\u003crepository\u003e\n    \u003cid\u003eoss-snapshots-repo\u003c/id\u003e\n    \u003curl\u003ehttps://oss.sonatype.org/content/repositories/snapshots\u003c/url\u003e\n    \u003creleases\u003e\u003cenabled\u003efalse\u003c/enabled\u003e\u003c/releases\u003e\n    \u003csnapshots\u003e\u003cenabled\u003etrue\u003c/enabled\u003e\u003c/snapshots\u003e\n\u003c/repository\u003e\n```\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feonian-technologies%2Fsecrets-locker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feonian-technologies%2Fsecrets-locker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feonian-technologies%2Fsecrets-locker/lists"}