{"id":13472038,"url":"https://github.com/pinterest/knox","last_synced_at":"2025-05-14T12:12:28.444Z","repository":{"id":8388882,"uuid":"53691088","full_name":"pinterest/knox","owner":"pinterest","description":"Knox is a secret management service","archived":false,"fork":false,"pushed_at":"2025-05-06T23:37:26.000Z","size":1259,"stargazers_count":1245,"open_issues_count":7,"forks_count":105,"subscribers_count":43,"default_branch":"master","last_synced_at":"2025-05-07T00:31:12.109Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pinterest.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2016-03-11T19:19:28.000Z","updated_at":"2025-05-06T23:37:31.000Z","dependencies_parsed_at":"2024-06-18T15:15:26.258Z","dependency_job_id":"d356a874-5433-43f7-b45c-a93934066530","html_url":"https://github.com/pinterest/knox","commit_stats":{"total_commits":134,"total_committers":34,"mean_commits":"3.9411764705882355","dds":0.8656716417910448,"last_synced_commit":"9635b3398e5b53b0641a7929936626bd1caf9e24"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pinterest%2Fknox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pinterest%2Fknox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pinterest%2Fknox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pinterest%2Fknox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pinterest","download_url":"https://codeload.github.com/pinterest/knox/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254140768,"owners_count":22021220,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T16:00:51.339Z","updated_at":"2025-05-14T12:12:23.429Z","avatar_url":"https://github.com/pinterest.png","language":"Go","readme":"# Knox -- the high level overview\nKnox is a service for storing and rotation of secrets, keys, and passwords used by other services.\n\n## The Problem Knox is Meant to Solve\nPinterest has a plethora of keys or secrets doing things like signing cookies, encrypting data, protecting our network via TLS, accessing our AWS machines, communicating with our third parties, and many more. If these keys become compromised, rotating (or changing our keys) used to be a difficult process generally involving a deploy and likely a code change. Keys/secrets within Pinterest were stored in git repositories. This means they were copied all over our company's infrastructure and present on many of our employees laptops. There was no way to audit who accessed or who has access to the keys. Knox was built to solve these problems.\n\nThe goals of Knox are:\n- Ease of use for developers to access/use confidential secrets, keys, and credentials\n- Confidentiality for secrets, keys, and credentials\n- Provide mechanisms for key rotation in case of compromise\n- Create audit log to keep track of what systems and users access confidential data\n\nRead more at https://github.com/pinterest/knox/wiki\n\n## Getting knox set up\nThe first step is to install Go (or use Docker, see below). We require Go \u003e= 1.6 or Go 1.5 with the vendor flag enabled (`GO15VENDOREXPERIMENT=1`). For instructions on setting up Go, please visit https://golang.org/doc/install\n\nAfter Go is set up (including a `$GOPATH` directory that will store your workspace), please run `go get -d github.com/pinterest/knox` to get the latest version of the knox code.\n\nTo compile the devserver and devclient binaries, run `go install github.com/pinterest/knox/cmd/dev_server` and `go install github.com/pinterest/knox/cmd/dev_client`. These can be directly executed, the dev_client expects the server to be running on a localhost. By default, the client uses mTLS with a hardcoded signed cert given for example.com for machine authentication and had github authentication enabled for users.\n\nTo start your server run:\n```sh\n$GOPATH/bin/dev_server\n```\n\nFor using this client as a user, generate a token via these instructions https://help.github.com/articles/creating-an-access-token-for-command-line-use/ with read:org permissions. This token will be able to get your username and the organization you belong to. With the dev_server running you can now create your first knox key.\n\n```sh\nexport KNOX_USER_AUTH=\u003cinsert generated github token here\u003e\necho -n \"My first knox secret\" | $GOPATH/bin/dev_client create test_service:first_secret\n```\n\nYou can retrieve the secret using:\n```sh\n$GOPATH/bin/dev_client get test_service:first_secret\n```\n\nYou can see all key IDs using:\n```sh\n$GOPATH/bin/dev_client keys\n```\n\nTo see all available commands run:\n```sh\n$GOPATH/bin/dev_client help\n```\n\nFor production usage, I recommend making your own client, renaming it `knox`, and moving it into you $PATH for ease of use.\n\nFor more information on interacting with knox, use `knox help` or go to https://github.com/pinterest/knox/wiki/Knox-Client\n\n## Knox with Docker\n\nYou can run a Docker container to get knox set up, instead of installing Go on your host.\n\n```sh\ngit clone https://github.com/pinterest/knox.git\ncd knox\ndocker run --name knox --rm -v \"$PWD\":/go/src/github.com/pinterest/knox -it golang /bin/bash\n```\n\nThis will run a bash shell into the container, mounting a local copy of knox in the go source path.\n\nYou can refer back to the section \"Getting knox set up\" to set up knox.\n","funding_links":[],"categories":["Go","Tools","Secrets management","Projects","Go (134)","Uncategorized"],"sub_categories":["Secrets Management","Identity and Access Management","Uncategorized"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpinterest%2Fknox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpinterest%2Fknox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpinterest%2Fknox/lists"}