{"id":13509903,"url":"https://github.com/prbinu/zcretshare","last_synced_at":"2026-01-29T16:02:03.668Z","repository":{"id":85077097,"uuid":"189788123","full_name":"prbinu/zcretshare","owner":"prbinu","description":"A command-line tool for sharing secret/key materials between two (or more) users using SSH keys","archived":false,"fork":false,"pushed_at":"2019-06-02T23:09:35.000Z","size":218,"stargazers_count":9,"open_issues_count":0,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-01-19T03:41:40.419Z","etag":null,"topics":["encryption","golang","gpg","key-management","pgp","port-forwarding","secret-sharing","security","security-tool","ssh","usable-security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/prbinu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-06-02T00:01:31.000Z","updated_at":"2024-08-11T16:57:47.000Z","dependencies_parsed_at":null,"dependency_job_id":"7a2ba888-2c25-42e2-b35f-fe8229a6c141","html_url":"https://github.com/prbinu/zcretshare","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/prbinu/zcretshare","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prbinu%2Fzcretshare","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prbinu%2Fzcretshare/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prbinu%2Fzcretshare/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prbinu%2Fzcretshare/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/prbinu","download_url":"https://codeload.github.com/prbinu/zcretshare/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prbinu%2Fzcretshare/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28880845,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-29T10:31:27.438Z","status":"ssl_error","status_checked_at":"2026-01-29T10:31:01.017Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["encryption","golang","gpg","key-management","pgp","port-forwarding","secret-sharing","security","security-tool","ssh","usable-security"],"created_at":"2024-08-01T02:01:16.594Z","updated_at":"2026-01-29T16:02:03.642Z","avatar_url":"https://github.com/prbinu.png","language":"Go","funding_links":[],"categories":["Go","security"],"sub_categories":[],"readme":"# zcretshare\n\nA command-line tool to share secret/key materials between two (or more) users using SSH keys\n\n`zcretshare` provides a reasonably secure mechanism to share secrets with your co-workers. As an engineer your often would have\nenountered situations where you need to share key materials (secrets, key files, license keys etc.) with your co-workers.\nThe common, but **insecure** practice is to share it over IM/chat channel or email. Sharing secrets through these \ncommunication channels expose those secrets to their servers in unencrypted form. This poses a significant security risk\nto the company. Though PGP (GPG) encryption is the recommended practice, it is not widely used because: (a) not many engineers\nhave their GPG keys handy with them or published, (b) poor usability - difficulty for the users to learn and use.\n\n### `zcretshare` features:\n* Establishes a secure tunnel between workstations and share secrets over it.\n* Use your existing SSH setup and keys; no need to create or manage other kinds of keys.\n* Usable security: Intuitive to use. Simple send and receive commands.\n* Stream the secret over a secure tunnel. Unlike sharing over IM/email, secrets are not stored on third-party servers or exposed to unauthorized access.\n* Perfect Forward Secrecy (PFS). Tools such as PGP uses long-lived encryption keys. The long-lived keys are subjected to compromise and can be used to decrypt previous traffic or the encrypted files stored in the email servers. As a result PGP doesn't have the `forward secrecy` property.\n\nLimitations:\n* Both sender and receiver have to be online to make this work.\n* Though `zcretshare` authenticates the server hosting peer's public key, it cannot provide strong guarantee about the authenticity of peer's pubic key. Hence more suitable in trusted environments, for instance your organiation/employer can act as a trusted third party between sender and receiver (e.g. use corporate authentication enabled source repository to distribute public keys).\n* Not suitable for sharing files larger than 200KB (may increase the limit later).\n\n### Scenarios\n\n1. If both users are on same (reachable) network, they may exchange secrets directly as follows:\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/zcretshare.png\" width=\"50%\" height=\"80%\"\u003e\n\u003c/p\u003e\n\n2. If the receiver can reach sender but not the otherway. For example, the receiver would be inside a firewall'd network or using non-routable/private IP, hence not directly reachable by sender.\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/zcretshare-rev.png\" width=\"50%\" height=\"80%\"\u003e\n\u003c/p\u003e\n\n3. If the sender cannot reach receiver's workstation directly, he/she may use a proxy host (e.g. AWS EC2 instance or a DC host) as follows:\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/zcretshare-proxy.png\" width=\"70%\" height=\"80%\"\u003e\n\u003c/p\u003e\n\nIn the above case, both users should have SSH access to the proxy host.\n\n4. `zcretshare` can also be used to share (push or pull) secrets between Virtual Machines (VM) and BareMetal (BM) Hosts\n\n### Why SSH keys?\n* Most engineers are familiar with SSH and its usage.\n* As an engineer, you would have used SSH keys to login to remote machines or used it to commit code to source repositories (GitHub, GitLab) etc. -- means you can utilize the same keys, no need to create and manage additional keys for sharing secrets.\n* No additional software required for proxy server. It just works with stock OpenSSH daemon.\n\n### Why not TLS \u0026 X.509 certificates?\n* Unlike SSH keys, X.509 'user' certificates are not widely used. It also requires integration with PKI infrastructure (or use self-signed certificates).\n* The burden of managing yet another rarely used keys.\n* For proxy use-case, you need to run a TLS proxy server, and even that requires TLS certificates.\n\n### Sharing public keys\nThe easiest way to exchange public keys between users is to use out-of-band channels - for example, Slack channel or over email, GitHub (personal repo) etc.\n\n## Installation\n\nSupported OS:\n* MacOS\n* Linux\n* Windows\n\n### Build from source\n\n*Build Pre-requisites :*\n\n[GoLang](https://golang.org/dl/)\n\nSet the `GOPATH` and then  try the following command:\n\n```bash\ngo get github.com/prbinu/zcretshare\n```\n\nA `Makefile` is also included. It supports build, test, release, install and uninstall options.\n\n## Usage\n\n**zcretshare receive**\n```bash\n% zcretshare receive -h\nUsage: zcretshare receive [-h] [options]\n\n  -cacert string\n    \tX.509 CA certificate bundle file; used for -receiver-pubkey HTTPS URL certificate validation. (default: use system CA bunde)\n  -connect string\n    \tTarget host to connect; format: host:port (not required if you use -proxy)\n  -dangerous-forever\n    \tDo not exit after processing first request, instead run for ever (not recommended)\n  -dangerous-stdout\n    \tOutput secrets to stdout (warning: your secret may get exposed; not recommended)\n  -dir string\n    \tOutput file save directory (default \"~/.zcretshare\")\n  -key string\n    \tSSH private key file to authenticate the receiver (mandatory field) (default \"~/.ssh/id_rsa\")\n  -listen string\n    \tListen on host:port; format: [host]:port (not required if you use -proxy)\n  -overwrite\n    \tOverwrites the output file if the file already exists\n  -proxy string\n    \tIntermediate SSH server to connect; format: ssh://user@host[:port]] (not required if you use -listen)\n  -proxy-host-pubkey string\n    \tProxy host public key file (default \"~/.ssh/known_hosts\")\n  -proxy-key string\n    \tSSH private key file for proxy authentication (default: use ssh-agent if configured)\n  -quiet\n    \tsupress all info messages on stdout\n  -rf-port string\n    \tProxy SSH RemoteForward port, used with -proxy option (default \"15432\")\n  -sender-pubkey string\n    \tSender\\'s SSH public key file  - local filename or an HTTPS URL\n\n  Valid options for -proxy:\n\t-key -sender-pubkey -proxy-key -proxy-host-pubkey -rf-port -overwrite -dir -dangerous-stdout -dangerous-forever -cacert -quiet\n  Valid options for -listen:\n\t-key -receiver-pubkey -overwrite -dir -dangerous-stdout -dangerous-forever -cacert -quiet\n  Valid options for -connect:\n\t-key -receiver-pubkey -overwrite -dir -dangerous-stdout -cacert -quiet\n\nExamples:\n\tzcretshare receive -listen \u003cyour-host-ip\u003e:\u003c15432\u003e -key ~/.ssh/recv_id_rsa  -sender-pubkey ~/.ssh/sender_id_rsa.pub\n\n\tzcretshare receive -proxy ssh://\u003cuser\u003e@\u003cproxy-ssh-server\u003e:\u003c22\u003e -key ~/.ssh/recv_id_rsa -sender-pubkey https://example.com/sender/id_rsa.pub -dir /tmp\n\n\tzcretshare receive -proxy ssh://\u003cuser\u003e@\u003cproxy-ssh-server\u003e:\u003c22\u003e -key ~/.ssh/recv_id_rsa -proxy-key ~/.ssh/id_rsa_proxy -sender-pubkey ~/.ssh/sender_id_rsa.pub -dir /tmp\n\n\tzcretshare receive -connect ssh://\u003creceiver-host\u003e:\u003c15432\u003e -key recv_id_rsa -sender-pubkey sender_id_rsa.pub -overwrite -dir /tmp\n\n```\n\n**zcretshare send**\n```bash\n% zcretshare send -h\nUsage: zcretshare send [-h] [options]\n\n  -cacert string\n    \tX.509 CA certificate bundle file; used for -receiver-pubkey HTTPS URL certificate validation. (default: use system CA bunde)\n  -connect string\n    \tTarget host to connect; format: host:port (not required if you use -proxy)\n  -dangerous-forever\n    \tSkip exiting after first request, instead run for ever (not recommended)\n  -in-file string\n    \tSecret file to share with the remote party\n  -key string\n    \tSSH private key file for authentication (default: use ssh-agent if configured)\n  -listen string\n    \tListen on host:port; format: [host]:port (not required if you use -proxy)\n  -proxy string\n    \tIntermediate SSH server to connect; format: ssh://user@host[:port] (not required if you use -connect)\n  -proxy-host-pubkey string\n    \tProxy host public key file (default \"~/.ssh/known_hosts\")\n  -proxy-key string\n    \tSSH private key file for proxy authentication (default: use ssh-agent if configured)\n  -quiet\n    \tSupress all info messages on stdout\n  -receiver-pubkey string\n    \tReceiver\\'s SSH public key/cert - local filename or an HTTPS URL\n  -rf-port string\n    \tProxy SSH RemoteForward port, used with -proxy option (default \"15432\")\n\n  Valid options for -proxy:\n\t-key -receiver-pubkey -proxy-key -proxy-host-pubkey -rf-proxy -in-file -cacert -quiet\n  Valid options for -connect:\n\t-key -receiver-pubkey -in-file -cacert -quiet\n  Valid options for -listen:\n\t-key -receiver-pubkey -in-file -dangerous-forever -cacert -quiet\n\nExamples:\n\tzcretshare send -connect ssh://\u003creceiver-host\u003e:\u003c15432\u003e -key ~/.ssh/id_rsa -in-file ~/secret-file.txt -receiver-pubkey ~/.ssh/recv_id_rsa.pub\n\n\tzcretshare send -proxy ssh://\u003cuser\u003e@\u003cproxy-ssh-server\u003e:\u003c22\u003e -key ~/.ssh/id_rsa -in-file ~/secret-file.txt -receiver-pubkey https://example.com/receiver/id_rsa.pub\n\n\tzcretshare send -proxy ssh://\u003cuser\u003e@\u003cproxy-ssh-server\u003e:\u003c22\u003e -proxy-key ~/.ssh/id_rsa_proxy -in-file ~/secret-file.txt -receiver-pubkey ~/.ssh/recv_id_rsa.pub\n\n\tzcretshare send -listen 0:\u003c15432\u003e -key sender_id_rsa -receiver-pubkey recv_id_rsa.pub -in-file super-secret.txt\n```\n\n### Demo\n\n**Receiver**\n\n```bash\n% zcretshare receive -listen 127.0.0.1:15432 -key test/id_rsa_test  -sender-pubkey test/id_rsa_test.pub -overwrite  -dir /tmp\n  /\\_/\\\n ( o.o )  SECRET SHARE PROGRAM\n  \u003e ^ \u003c   --------------------\nAuthorized sender(s) key fingerprint (from test/id_rsa_test.pub):\n  SHA256:JuUpVhauR02fYEKLbhITm2T+afZolfQvwxSsX4VdurE\n\n\nListening on 127.0.0.1:15432\n\nNew connection: sender: secret-shell-user\t sender-addr: 127.0.0.1:56381\t key fingerprint:\n  SHA256:JuUpVhauR02fYEKLbhITm2T+afZolfQvwxSsX4VdurE\nTime: 2019-02-26 11:09:52.486911 -0800 PST\nSecret content saved to: /tmp/super-secret-test\nContent fingerprint: SHA256:6pqtydvHHizpAWD+Bs83V7NZ/txqkMmwRj6c8xalIPw=\n```\n\n**Sender**\n```bash\n% zcretshare send -connect ssh://127.0.0.1:15432 -key test/id_rsa_test  -receiver-pubkey test/id_rsa_test.pub  -in-file test/super-secret-test\n  /\\_/\\\n ( o.o )  SECRET SHARE PROGRAM\n  \u003e ^ \u003c   --------------------\nReceiver key fingerprint: SHA256:JuUpVhauR02fYEKLbhITm2T+afZolfQvwxSsX4VdurE\nConnected to: 127.0.0.1:15432\nContent fingerprint: SHA256:6pqtydvHHizpAWD+Bs83V7NZ/txqkMmwRj6c8xalIPw=\nSecret file: test/super-secret-test\nTransfer complete!\n```\n\n**NOTE** \nOnly public-key based authentication is supported. Proxies configured to accept `passwords` or `keyboard-interactive` may not work.\n \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprbinu%2Fzcretshare","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprbinu%2Fzcretshare","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprbinu%2Fzcretshare/lists"}