{"id":37179283,"url":"https://github.com/situ-vault/situ-vault","last_synced_at":"2026-01-14T20:52:18.099Z","repository":{"id":53513881,"uuid":"323123048","full_name":"situ-vault/situ-vault","owner":"situ-vault","description":"Simple toolbox for working with encrypted secrets","archived":false,"fork":false,"pushed_at":"2025-04-16T19:58:57.000Z","size":1415,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-17T06:13:04.897Z","etag":null,"topics":["fyne","golang","kustomize-plugin","secret-distribution","secret-management","security","vault"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/situ-vault.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-12-20T17:07:36.000Z","updated_at":"2025-04-09T20:35:55.000Z","dependencies_parsed_at":"2023-12-21T20:04:02.891Z","dependency_job_id":"2a9de464-23db-4d74-bcb3-343caad965e1","html_url":"https://github.com/situ-vault/situ-vault","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/situ-vault/situ-vault","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/situ-vault%2Fsitu-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/situ-vault%2Fsitu-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/situ-vault%2Fsitu-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/situ-vault%2Fsitu-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/situ-vault","download_url":"https://codeload.github.com/situ-vault/situ-vault/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/situ-vault%2Fsitu-vault/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28434500,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T18:57:19.464Z","status":"ssl_error","status_checked_at":"2026-01-14T18:52:48.501Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fyne","golang","kustomize-plugin","secret-distribution","secret-management","security","vault"],"created_at":"2026-01-14T20:52:17.263Z","updated_at":"2026-01-14T20:52:18.086Z","avatar_url":"https://github.com/situ-vault.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ca id=\"situ-vault-logo\" href=\"#situ-vault-logo\"\u003e\n\u003cimg align=\"right\" width=\"206\" height=\"206\" src=\"https://raw.githubusercontent.com/situ-vault/situ-vault/main/gui/situ-vault/icon/icon.png\" alt=\"situ-vault app lock icon\"\u003e\n\u003c/a\u003e\n\n# situ-vault\n\n\u003e Handling secrets like a piece of cake!\n\nSimple toolbox for working with encrypted secrets.\n\nThis repository contains tools to locally encrypt and decrypt secrets stored in a text based format.\n\n* Symmetric encryption using current algorithms:\n    * 🔐 **Salted key derivation** from a user supplied password (PBKDF2, Argon2id or Scrypt)\n    * ✅ **Authenticated encryption** with state-of-the-art ciphers (AES-256-GCM, NaCl Secretbox or XChaCha20-Poly1305)\n* Slim text based output:\n    * 🔣 Various encodings that enable **easy copy 'n' paste** like Base32 or Base62 (but also Base64)\n    * 📦 Selected cipher suite stored as a prefix to the ciphertext to allow decryption without further configuration\n* Two user interfaces:\n    * ⌨️ CLI: Simplistic **command line interface**, reads from files or flags and writes to stdout\n    * 🖱️ GUI: Cross-platform **graphical user interface** built with ``fyne.io``\n* Application interfaces:\n    * 🐵 Concise Go pkg\n    * 📃 Text based output and **only standard algorithms** allow straightforward implementation with other languages\n* Cloud native tools integration:\n    * ⛅ Usage of encrypted secrets via a **kustomize exec plugin** to safely store encrypted secrets in a repository but directly use them for Kubernetes application deployments\n\nThe name is inspired from the latin ***In situ*** which can mean ***in place***. As ``situ-vault`` only works with the\nsecrets locally and does not depend on a remote system like Hashicorp Vault, AWS KMS or Azure KV this quite nicely\ncaptures its unique differentiator.\n\n*Side Note:* If the exact opposite is actually desired, thus not using local symmetric keys,\nthen [sops](https://github.com/getsops/sops) might be worth a look. However, the greater flexibility that sops offers\nalso results in more visible complexity, as apparent by the lengthy Yaml or Json structured files for the results as\nwell as its configuration.\n\n## Usage\n\n### CLI\n\nWith flags: (not recommended)\n\n```\necho test-pw | read -s PW\necho test-data | read -s DATA\nsitu-vault encrypt -password=$PW -cleartext=$DATA\nSITU_VAULT_V1##C:AES256_GCM#KDF:PBKDF2_SHA256_I10K#SALT:R8B#ENC:BASE32#LB:NO##IYKEB5WQVTPEQ===##I5VS45LGEXJXLZYNU7SYDC3ROJSDPGR2VG7KQSF2##END\n\nsitu-vault decrypt -password=$PW -ciphertext=\"SITU_VAULT_V1##C:AES256_GCM#KDF:PBKDF2_SHA256_I10K#SALT:R8B#ENC:BASE32#LB:NO##IYKEB5WQVTPEQ===##I5VS45LGEXJXLZYNU7SYDC3ROJSDPGR2VG7KQSF2##END\"\ntest-data\n```\n\nWith files:\n\n```\nsitu-vault encrypt -password=\"file://./pw.txt\" -cleartext=\"file://./data.txt\" \u003e ./data.enc.txt\n\nsitu-vault decrypt -password=\"file://./pw.txt\" -ciphertext=\"file://./data.enc.txt\" \u003e ./data.dec.txt\n```\n\nSpecify a custom vault mode:\n\n```\nsitu-vault encrypt -password=test-pw -cleartext=test-data -vaultmode=\"C:XCHACHA20_POLY1305#KDF:ARGON2ID_T1_M65536_C4#SALT:R32B#ENC:BASE62#LB:CH80\"\nSITU_VAULT_V1##C:XCHACHA20_POLY1305#KDF:ARGON2ID_T1_M65536_C4#SALT:R32B#ENC:BASE62#LB:CH80##lsDfYPcXuqspleYN0yYMw1EJu6mFfYMyP4X1L0HpZRf##\n4YVoCE4cXfMxQasx7UsqnIOA6DtsOJswSk##END\n```\n\nThe direction to a file currently adds a newline after the end of the decrypted content, which might be a problem for\nsome inputs!\n\nSurrounding whitespace around ciphertexts is cleaned before parsing.\n\n### GUI\n\n#### Encrypt\n\n\u003ca id=\"situ-vault-encrypt\" href=\"#situ-vault-encrypt\"\u003e\n\u003cimg alt=\"Encrypt GUI situ-vault\" max-height=\"500px\" src=\"https://raw.githubusercontent.com/situ-vault/situ-vault/main/doc/screens/encrypt.png\"\u003e\n\u003c/a\u003e\n\n#### Decrypt\n\n\u003ca id=\"situ-vault-decrypt\" href=\"#situ-vault-decrypt\"\u003e\n\u003cimg alt=\"Decrypt GUI situ-vault\" max-height=\"500px\" src=\"https://raw.githubusercontent.com/situ-vault/situ-vault/main/doc/screens/decrypt.png\"\u003e\n\u003c/a\u003e\n\n#### Custom Mode\n\nThe GUI also allows to select the algorithms and other parameters for a custom vault mode:\n\n\u003ca id=\"situ-vault-mode\" href=\"#situ-vault-mode\"\u003e\n\u003cimg alt=\"Encrypt GUI custom mode situ-vault\" max-height=\"500px\" src=\"https://raw.githubusercontent.com/situ-vault/situ-vault/main/doc/screens/mode.png\"\u003e\n\u003c/a\u003e\n\n### Kustomize\n\nFor the moment, this is documented in the specific readme: [readme.md](./cmd/situ-vault-kustomize/testdata/readme.md)\n\n## Format\n\nThe output of ``situ-vault`` is formatted as text, called a ``message`` or ``vaultmessage``:\n\n```\n# whole vaultmessage: (encoding of salt and ciphertext depending on vaultmode)\nSITU_VAULT_V1##C:AES256_GCM#KDF:PBKDF2_SHA256_I10K#SALT:R8B#ENC:BASE32#LB:NO##IYKEB5WQVTPEQ===##I5VS45LGEXJXLZYNU7SYDC3ROJSDPGR2VG7KQSF2##END\n\u003cfix-version\u003e##\u003cvaultmode\u003e##\u003csalt\u003e##\u003cciphertext\u003e##\u003cfix-end\u003e\n\n# with vaultmode:\n##\u003ccode\u003e:\u003cvalue\u003e#\u003ccode\u003e:\u003cvalue\u003e#\u003c...\u003e##\n```\n\nA text based format instead of a binary one was chosen to enable easy diffing for version control and simple copying.\nA self describing format enables decryption without further configuration by the user and allows the reuse of a mode for\nfurther ciphertexts. The clearly readable ``##END`` allows the user to see if a message was copied completely.\n\nThe authentication tags are directly part of the ciphertext and not separated by ``##`` as this is the format most often\nused by the crypto libraries. However, the nonces are not stored as a prefix of the ciphertext, as these are taken from\nthe key derivation function too and thus not needed in the message.\n\n## Security\n\nNone of the actual cryptographic algorithms are re-implemented in this repository. Only the implementations from\nthe [crypto package](https://pkg.go.dev/crypto) of the Go standard library and its supplementary extensions\nfrom [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) are used.\n\nOne of the main design assumptions for the CLI and GUI are that the local machine is kind of safe enough to at least\ntemporarily store and work with secrets in plain. The goal is rather to have a secret encrypted when it is stored in\nanother not as safe place or when in transit.\n\n### Choice\n\nSometimes choice in cryptography algorithms is seen as undesired by library or tool authors.\nHowever, choice also enables the user to comply to existing requirements or ease crypto agility when new algorithms\nbecome necessary. Thus, in ``situ-vault`` the user is able to build a cipher suite, called ``mode`` or ``vaultmode``,\nbased on preferences, compliance requirements or tooling interoperability needs.\n\nAt least at this point in time, all the provided options are seen as suitable variants. The HKDF should only be used\nwhen the input password is already a strong secret key e.g. when taken from a random source. It is still included here\nas it offers a lightweight alternative in these specific cases.\n\nCurrently, the mode and other metadata are not authenticated, only the actual input cleartext is authenticated.\nThe ``vaultmode`` text might be added as additional data (where an AEAD is used) in subsequent versions of situ-vault.\n\n#### Constructs:\n\nName | Notes | Value (``C``)\n--- | --- | ---\nAES-256-GCM | Key: 32 byte, Nonce: 12 byte, Tag: 16 byte | ``\"AES256_GCM\"``\nNaCl Secretbox / XSalsa20-Poly1305 | Key: 32 byte, Nonce: 24 byte, Tag: 16 byte | ``\"NACL_SECRETBOX\"``\nXChaCha20-Poly1305 | Key: 32 byte, Nonce: 24 byte, Tag: 16 byte | ``\"XCHACHA20_POLY1305\"``\n\n#### Key Derivation Functions:\n\nName | Notes | Value (``KDF``)\n--- | --- | ---\nPBKDF2 | With SHA-256 and 10000 iterations | ``\"PBKDF2_SHA256_I10K\"``\nArgon2id | With time=1, memory=64*1024 and threads=4 | ``\"ARGON2ID_T1_M65536_C4\"``\nscrypt | With N=32768, r=8 and p=1 | ``\"SCRYPT_N32768_R8_P1\"``\nHKDF | With SHA-256 and no info value | ``\"HKDF_SHA256_NOINFO\"``\n\n#### Salts:\n\nName | Notes | Value (``SALT``)\n--- | --- | ---\nRandom 8 bytes | n/a | ``\"R8B\"``\nRandom 16 bytes | n/a | ``\"R16B\"``\nRandom 24 bytes | n/a | ``\"R24B\"``\nRandom 32 bytes | n/a | ``\"R32B\"``\n\n#### Encodings:\n\nName | Notes | Value (``ENC``)\n--- | --- | ---\nHex | ``[0-9A-F]`` Base16 | ``\"HEX\"``\nBase32 | ``[2-9A-Z]`` Base32, no ``0`` or ``1`` | ``\"BASE32\"``\nBase62 | ``[0-9A-Za-z]`` Base64 without the special characters | ``\"BASE62\"`` \nBase64 | ``[0-9A-Za-z\\+\\/]`` Base64 standard | ``\"BASE64\"``\nBase64 URL | ``[0-9A-Za-z\\-\\_]`` Base64 URL safe variant: ``-``, ``_`` instead of ``+``, ``/`` | ``\"BASE64URL\"``\n\n#### Linebreaks:\n\nName | Notes | Value (``LB``)\n--- | --- | ---\nNo linebreaks | n/a | ``\"NO\"``\nAfter 80 characters | n/a | ``\"CH80\"``\nAfter 100 characters | n/a | ``\"CH100\"``\nAfter 120 characters | n/a | ``\"CH120\"``\n\n### Overview\n\nSchematic overview over the steps during encryption:\n\n```mermaid\ngraph TB\n\n    %% user inputs:\n    pw[/Password/]\n    cleartext[/Cleartext/]\n    mode[/Vaultmode/]\n\n    style pw stroke:#333,stroke-width:5px\n    style cleartext stroke:#333,stroke-width:5px\n    style mode stroke:#333,stroke-width:5px\n    \n    mode -.- rnd\n    mode -.- kdf\n    mode -.- ae\n    mode -.- encode\n    mode -.- lb\n    \n    %% mode influences subprocesses: (link styling not for ids)\n    linkStyle 0 stroke:#808080,stroke-width:1px,stroke-dasharray: 5 5\n    linkStyle 1 stroke:#808080,stroke-width:1px,stroke-dasharray: 5 5\n    linkStyle 2 stroke:#808080,stroke-width:1px,stroke-dasharray: 5 5\n    linkStyle 3 stroke:#808080,stroke-width:1px,stroke-dasharray: 5 5\n    linkStyle 4 stroke:#808080,stroke-width:1px,stroke-dasharray: 5 5\n    \n    %% key derivation:\n    rnd[[Random Generator]]\n    salt[/Salt/]\n    rnd --\u003e salt\n    kdf[[Key Derivation Function]]\n    pw --\u003e kdf\n    salt --\u003e kdf\n    key[/Key/]\n    iv[/IV/]\n    kdf --\u003e key\n    kdf --\u003e iv\n    \n    %% encryption:\n    ae[[Authenticated Encryption]]\n    key --\u003e ae\n    iv --\u003e ae\n    cleartext--\u003eae\n    ae --\u003e ciphertext\n    ciphertext[/Ciphertext \u0026 Tag/]\n    \n    %% encoding:\n    encode[[Text Encoding]]\n    salt --\u003e encode\n    ciphertext --\u003e encode\n    encode --\u003e ciphertextEnc\n    encode --\u003e saltEnc\n    ciphertextEnc[/Ciphertext \u0026 Tag Encoded/]\n    saltEnc[/Salt Encoded/]\n    \n    %% line wrap:\n    lb[Line Breaking]\n    ciphertextWrapped[/Ciphertext \u0026 Tag Text Lines/]\n    ciphertextEnc --\u003e lb\n    lb --\u003e ciphertextWrapped\n    \n    %% concat message:\n    version[/Version Prefix/]\n    concat[Concatenation]\n    message[/Vaultmessage/]\n    style message stroke:#333,stroke-width:5px\n\n    version --\u003e concat\n    mode --\u003e concat\n    saltEnc --\u003e concat\n    ciphertextWrapped --\u003e concat\n\n    concat --\u003e message\n\n```\n\n### Comparison\n\nThe combination of algorithms in use can be compared to other well-established tools:\n\n* [openssl-enc](https://www.openssl.org/docs/man1.1.1/man1/enc.html) symmetric cipher routines as of version 1.1.1:\n    * algorithms:\n        * Various ciphers supported including legacy ciphers, but no AEAD by choice\n        * e.g. AES-256-CTR (in some other implementations also GCM; but there the authentication tag is discarded)\n        * If enabled PBKDF2 can be used, defaults use SHA-256 and 10000 iterations with a salt (8 bytes) to derive the key (32 bytes) and an IV (16 bytes)\n    * differences: no authenticated encryption; selected cipher suite or version information is not included in the output\n    * result structure, binary or all together Base64 encoded:\n        * a prefix: ``Salted__``\n        * the salt\n        * the ciphertext\n* [Ansible Vault](https://docs.ansible.com/ansible/2.10/user_guide/vault.html#format-of-files-encrypted-with-ansible-vault) payload format 1.2:\n    * algorithms:\n        * AES-256-CTR\n        * PBKDF2 with SHA-256 using 10000 iterations with a salt (32 bytes) to derive the AES key (32 bytes), HMAC key (32 bytes) and an IV (16 bytes)\n    * differences: plaintext is padded to block size before encryption; separate HMAC is used as AES mode is CTR instead of GCM\n    * result structure, separated by newlines:\n        * a header (e.g. ``$ANSIBLE_VAULT;1.2;AES256;vault-id-label``)\n        * hex encoded salt\n        * hex encoded HMAC of the ciphertext\n        * hex encoded ciphertext (newlines after 80 characters)\n\n## Development\n\n### Run all tests\n\n```shell\nfor directory in pkg cmd gui\ndo\n  ( cd \"$directory\" \u0026\u0026 go test ./... )\ndone\n```\n\n### Run all checks\n\n```shell\nfor directory in pkg cmd gui\ndo\n  ( cd \"$directory\" \u0026\u0026 go vet -tags ci ./... \u0026\u0026 staticcheck ./... )\ndone\n```\n\n### Run commands during development\n\n```shell\ngo run ./cmd/situ-vault encrypt -password=hello -cleartext=world\ngo run ./gui/situ-vault\n```\n\n### Upgrade dependencies\n\n```shell\nfor directory in pkg cmd gui\ndo\n  ( \n    cd \"$directory\" \n    go get -u ./...\n    echo 'resetting pkg replace version'\n    sed -i '' 's:situ-vault/pkg v[0-9]*.[0-9]*.[0-9]*$:situ-vault/pkg v0.0.0:g' go.mod\n    echo 'cleaning checksums'\n    rm go.sum\n    go mod tidy\n    go test ./... \n  )\ndone\n```\n\n## Attribution\n\nThe situ-vault app icon emoji is from [OpenMoji](https://openmoji.org/). Icon license: [CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/#)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsitu-vault%2Fsitu-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsitu-vault%2Fsitu-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsitu-vault%2Fsitu-vault/lists"}