{"id":18338610,"url":"https://github.com/mqnfred/hips","last_synced_at":"2025-10-28T16:44:20.991Z","repository":{"id":47200116,"uuid":"236611920","full_name":"mqnfred/hips","owner":"mqnfred","description":"Manage secrets alongside your code","archived":false,"fork":false,"pushed_at":"2022-12-10T08:43:49.000Z","size":90,"stargazers_count":18,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-28T22:13:45.626Z","etag":null,"topics":["encryption","rust","secret-managers","secrets"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mqnfred.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-01-27T22:43:28.000Z","updated_at":"2022-12-09T16:06:52.000Z","dependencies_parsed_at":"2023-01-26T00:00:30.785Z","dependency_job_id":null,"html_url":"https://github.com/mqnfred/hips","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mqnfred%2Fhips","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mqnfred%2Fhips/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mqnfred%2Fhips/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mqnfred%2Fhips/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mqnfred","download_url":"https://codeload.github.com/mqnfred/hips/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247440346,"owners_count":20939221,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["encryption","rust","secret-managers","secrets"],"created_at":"2024-11-05T20:14:43.238Z","updated_at":"2025-10-28T16:44:20.878Z","avatar_url":"https://github.com/mqnfred.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hide in plain sight\n\n[![crates.io](https://img.shields.io/crates/v/hips)](https://crates.io/crates/hips)\n\n`hips` is a small, self-contained utility that enables users to store their\nsecrets encrypted alongside their code. It can be used as a binary or a\n[library][7] depending on your needs. What are you interested in knowing?\n\n 1. [Why do this?](#philosophy)\n 2. [Let's try it out](#install)\n 3. [Tutorial](#tutorial)\n 4. [Is this even safe](#safety)\n\n## Philosophy\n\n`me+code=secrets`\n\nFor all the small shops out there, the low profile targets with a limited\namount of individual developers involved, we suggest tracking your secrets\nalongside your code, in a file or folder database.\n\nThis will reduce sources of truth in your distributed system by 1 and help with\n\"infrastructure as code\" by making access to the secrets a local affair. You\nwill not have to depend on any kind of remote infrastructure for your secrets.\n\nThis solution will not work well for you if you:\n\n - Have many developers (master-password strategy does not scale well)\n - High scale/complexity infra (a need for secrets as a service)\n - High profile shops (compliance reasons, need insurances)\n \nIn this database, you could store your AWS credentials or the ssh key you use\nto connect to your production. You could store secrets needed by your serving\nlayer to authenticate with your database and push those using a tool like\nansible or ssh.\n\n## Install\n\nYou will need [cargo][1] to install `hips`. Once you have it, do the following:\n\n```sh\nexport PATH=$PATH:$HOME/.cargo/bin\ncargo install hips\nhips --help\n```\n\n## Tutorial\n\nIn this tutorial you will learn about all the different commands and database\nformats that `hips` supports.\n\n### Database and password configuration\n\nWe use environment variables to pass the database and password to `hips`:\n\n```\n$ export HIPS_DATABASE=secrets.yaml\n$ export HIPS_PASSWORD=pw\n```\n\n### Store, Load, List, Remove, Rename\n\n`store` takes a name and a secret and stores them in the database.\n\n```\n$ hips store aws_access_key_id BUIO1IXUAK3OQ9ACAHSX\n$ hips store aws_secret_access_key UwioixhaklufhhWbaXoSLwbxb2dj7/AJs92bdsXh\n$ cat secrets.yaml\n---\n- name: aws_access_key_id\n  secret: c58C04qkTDQhg86piVlmg7EXcz66i3C3GSdHjmZW5v2Pa6Froo69gbuDNSICXh4w\n  salt: OH3/mX3e/3ODwSLBYzFiK92PztSgLLmIf5S8mqenwXo=\n- name: aws_secret_access_key\n  secret: asrhBl8bMTPGj8Cua6LzyseRBLmhmNrivaCjW53NcNRUyKSYOkoLdq9PHSPHKdgosO6/acOn3hv+vnkciwLj0tio0ac=\n  salt: 4GP2GtoRhaf6NKtanBm9aLjUefuNH+otFDFfHF1Utns=%\n```\n\n`load` takes a name and prints out the matching secret.\n\n```\n$ hips load aws_access_key_id\nBUIO1IXUAK3OQ9ACAHSX\n$ hips load aws_secret_access_key\nUwioixhaklufhhWbaXoSLwbxb2dj7/AJs92bdsXh\n```\n\n`list` prints the names of the secrets stored in the db sorted alphabetically.\n\n```\n$ hips ls\naws_access_key_id\naws_secret_access_key\n```\n\n`remove` (`rm`) takes a name and removes that secret from the database.\n\n```\n$ hips store remove_me_soon unimportant-secret\n$ hips ls\naws_access_key_id\naws_secret_access_key\nremove_me_soon\n$ hips remove remove_me_soon\n$ hips ls\naws_access_key_id\naws_secret_access_key\n```\n\n`rename` renames a secret based on a (orig, dest) name pair\n\n```\n$ hips store move_me_please unimportant-secret\n$ hips ls\naws_access_key_id\naws_secret_access_key\nmove_me_please\n$ hips rename move_me_please thats_better\n$ hips ls\naws_access_key_id\naws_secret_access_key\nthats_better\n```\n\n### Rotate\n\nYou can `rotate` (`rot`) the secrets database in one command, re-encrypting\neverything using a different password.\n\n```\n$ cat secrets.yaml | grep secret:\n  secret: c58C04qkTDQhg86piVlmg7EXcz66i3C3GSdHjmZW5v2Pa6Froo69gbuDNSICXh4w\n  secret: asrhBl8bMTPGj8Cua6LzyseRBLmhmNrivaCjW53NcNRUyKSYOkoLdq9PHSPHKdgosO6/acOn3hv+vnkciwLj0tio0ac=\n$ hips rotate new-pw\n$ cat secrets.yaml | grep secret:\n  secret: Sb8BznQqjYr+q+lis2uVKPZ/j+qmNIMuXbjr/MElIAYkupyUCGHPbY+N/NTpTxKr\n  secret: FlWQvkzidFa8mStgoEbQXt4MobHPQFT7NFnImKIjgfNZ7xFhPGjj3kD0z3x4YNzLTjBMJykk57JooYCojhOH/GlqeEk=\n$ export HIPS_PASSWORD=new-pw\n$ hips load aws_access_key_id\nBUIO1IXUAK3OQ9ACAHSX\n```\n\nYou can see here that the encrypted secrets and salt are different from the\nprevious `secrets.yaml` database. We can now read all the secrets using the new\npassword.\n\n### Template\n\nMany times when exporting secrets to production, they need to be displayed in a\nspecific manner, as part of a configuration file and such. We use the [tiny\ntemplate][2] library for this purpose. See their neat [syntax page][3] for more\ninformation. We will cover our templating capabilities in the following two\nexamples.\n\n#### AWS credentials file\n\nLet's generate the `.aws/credentials`, where amazon secrets are conventionally\nstored. We'll use the \"map\" feature of the templating framework, which allows\nus to print out specific secrets by name.\n\n```\n$ hips template '[default]\\naws_access_key_id={map.aws_access_key_id}\\naws_secret_access_key={map.aws_secret_access_key}'\n[default]\naws_access_key_id=BUIO1IXUAK3OQ9ACAHSX\naws_secret_access_key=UwioixhaklufhhWbaXoSLwbxb2dj7/AJs92bdsXh\n```\n\n#### Shell script loading all secrets\n\nThis time, since our template is a bit more complex, we'll store it in a file:\n\n```\n$ cat shell-template\n#!/bin/sh\n{{ for secret in list -}}\n{{- if not @first }}\\n{{ endif -}}\nexport {secret.name|capitalize}={secret.secret};\n{{- endfor -}}\n```\n\nYou can find more information about this syntax [here][3]. This will yield the\nfollowing shell script:\n\n```\n$ hips template shell-template\n#!/bin/sh\nexport AWS_ACCESS_KEY_ID=BUIO1IXUAK3OQ9ACAHSX;\nexport AWS_SECRET_ACCESS_KEY=UwioixhaklufhhWbaXoSLwbxb2dj7/AJs92bdsXh;\n```\n\n### Database formats\n\nUp until now, we have been using a yaml file as database. We support multiple\nformats however:\n\n - As a directory hierarchy (no extension)\n - As a single yaml file (`.yaml` extension)\n\nIf we were to repeat the experiment above with a directory hierarchy under\n`secrets/`, our database would look like this:\n\n```\n$ tree secrets/\nsecrets\n├── aws_access_key_id/\n│   ├── salt\n│   └── secret\n└── aws_secret_access_key/\n    ├── salt\n    └── secret\n$ cat secrets/aws_access_key_id/secret\nSb8BznQqjYr+q+lis2uVKPZ/j+qmNIMuXbjr/MElIAYkupyUCGHPbY+N/NTpTxKr\n```\n\n## Safety\n\nThis project is using [ring][4]'s `pbkdf2` function to derive a proper key from\na password and its `aes256` implementation to encrypt/decrypt the secrets. In\ntheory at least, those ciphers should not be brute-forceable. You can find an\naudit of the ring library by Cure53 [here][6].\n\nWith this being said, it is still important to protect the encrypted version of\nour secrets from being public. If you store your secrets alongside your code,\nthat responsibility then befalls your code provider (github for example.)\n\nUltimately, consider the following three characteristics:\n\n - Your profile (low-profile target, high-profile?)\n - Your threat-model (who do you accept to trust?)\n - Your compliance requirements (do you have [PII][5] data?)\n\nYou need to consider all those questions (and more) before deciding on a\nsolution for your secrets management. It is advised that you consult with a\nsecurity engineer as well.\n\n[1]: https://crates.io\n[2]: https://crates.io/crates/tinytemplate\n[3]: https://docs.rs/tinytemplate/1.0.4/tinytemplate/syntax/index.html\n[4]: https://github.com/briansmith/ring\n[5]: https://en.wikipedia.org/wiki/Personal_data\n[6]: https://github.com/ctz/rustls/blob/master/audit/TLS-01-report.pdf\n[7]: https://docs.rs/hips\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmqnfred%2Fhips","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmqnfred%2Fhips","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmqnfred%2Fhips/lists"}