{"id":13781607,"url":"https://github.com/slok/agebox","last_synced_at":"2025-10-16T13:58:28.075Z","repository":{"id":37416429,"uuid":"341452691","full_name":"slok/agebox","owner":"slok","description":"Age based repository file encryption gitops tool","archived":false,"fork":false,"pushed_at":"2025-04-10T10:10:26.000Z","size":397,"stargazers_count":294,"open_issues_count":15,"forks_count":17,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-12T14:57:47.005Z","etag":null,"topics":["age","blackbox","encryption","git-crypt","gitops","repository-secrets","secrets","secrets-management","security","security-tools","sops"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/slok.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-02-23T06:30:12.000Z","updated_at":"2025-04-10T10:09:26.000Z","dependencies_parsed_at":"2024-01-15T20:47:17.040Z","dependency_job_id":"808443ea-b26e-4007-aad7-9ff5c7e59960","html_url":"https://github.com/slok/agebox","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slok%2Fagebox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slok%2Fagebox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slok%2Fagebox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slok%2Fagebox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/slok","download_url":"https://codeload.github.com/slok/agebox/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248586249,"owners_count":21128997,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["age","blackbox","encryption","git-crypt","gitops","repository-secrets","secrets","secrets-management","security","security-tools","sops"],"created_at":"2024-08-03T18:01:27.615Z","updated_at":"2025-10-16T13:58:23.022Z","avatar_url":"https://github.com/slok.png","language":"Go","funding_links":[],"categories":["security-tools","Secret Management","Tools","Go"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n    \u003cimg src=\"img/logo.png\" width=\"50%\" align=\"center\" alt=\"agebox\"\u003e\n\u003c/p\u003e\n\n# agebox\n\n[![CI](https://github.com/slok/agebox/actions/workflows/ci.yaml/badge.svg?branch=main)](https://github.com/slok/agebox/actions/workflows/ci.yaml)\n[![Go Report Card](https://goreportcard.com/badge/github.com/slok/agebox)](https://goreportcard.com/report/github.com/slok/agebox)\n[![Apache 2 licensed](https://img.shields.io/badge/license-Apache2-blue.svg)](https://raw.githubusercontent.com/slok/agebox/master/LICENSE)\n[![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/slok/agebox)](https://github.com/slok/agebox/releases/latest)\n\nEasy and simple file repository encryption tool based on [Age].\n\nHave you ever thought _\"this should be simple\"_ while you were using tools like [Blackbox] , [Git-crypt] or [Sops]? This is what agebox is. A tool on top of [Age]'s security system that encrypts/decrypts your repository files, focused on simplicity and gitops.\n\n## Features\n\n- Secure (Agebox delegates security to [Age]).\n- Tracks encrypted files in repository.\n- No PGP and no agents, just simple SSH and [Age] key files.\n- File flexibility (encrypts/decrypts recursive paths, multiple/single files, all tracked files...).\n- Reencrypts all tracked files with a single command.\n- Focused on Gitops, CI flows and simplicity.\n- Works with any file (doesn't understand formats like JSON, YAML...).\n- Single binary/executable.\n- No side effects like VCS commands (e.g: doesn't execute Git commands for you).\n\n## Get agebox\n\n- [Releases](https://github.com/slok/agebox/releases)\n- [Docker images](https://github.com/users/slok/packages/container/package/agebox)\n- `git clone git@github.com:slok/agebox.git \u0026\u0026 cd ./agebox \u0026\u0026 make build \u0026\u0026 ls -la ./bin`\n\n## Getting started\n\nInitialize agebox tracking file.\n\n```bash\nagebox init\n```\n\nEncrypt (and track) multiple files.\n\n```bash\nagebox encrypt ./app1/secret1.yaml ./app2/secret1.yaml\n```\n\nEncrypt (and track) a directory in dry-run to see what would be encrypted before doing it.\n\n```bash\nagebox encrypt ./secrets --dry-run\n```\n\nEncrypt (and track) a directory and only (filter regex used) the `secret` named yaml files.\n\n```bash\nagebox encrypt ./manifests --filter \".*secret(\\.yaml|\\.yml)$\"\n```\n\nDecrypt a subset of tracked secrets and a file.\n\n```bash\nagebox decrypt ./secrets/team-1 ./secrets/secret1.yaml\n```\n\nDecrypt only (filter regex used) `team-a` tracked files.\n\n```bash\nagebox decrypt ./secrets --filter \".*team-a.*\"\n```\n\nForce decryption of all tracked files.\n\n```bash\nagebox decrypt --all --force\n```\n\nValidate tracked secrets are encrypted and not decrypted (without decrypt validation).\n\n```bash\nagebox validate --no-decrypt\n```\n\nCat multiple encrypted files and print them to stdout.\n\n```bash\nagebox cat ./secrets/secret1.yaml.agebox ./secrets/secret2.json.agebox --no-log\n```\n\nReencrypt all files.\n\n```bash\nagebox reencrypt\n```\n\nUntrack multiple files.\n\n```bash\nagebox untrack ./secrets/secret1.yaml ./secrets/secret2.yaml\n```\n\nUntrack and delete file.\n\n```bash\nagebox untrack ./secrets/secret1.yaml --delete\n```\n\n## How does it work\n\nWhen you initialize agebox on a repository it will create a file (`.ageboxreg.yml`) that will track all the encrypted\nfiles in the repository.\n\nFrom now on if you encrypt files with agebox from the root of the repository it will:\n\n- Track the files if not already tracked.\n- Encrypt the files with the public keys in `./keys` or `--public-keys` as recipients.\n- If is a directory it will expand to all the files in the directory and subdirectories.\n\nAs a regular flow of agebox usage examples, you can:\n\n- Decrypt tracked files as a single file, multiple files, a directory and its subdirectories...\n- Decrypt all tracked files (`--all`).\n- Reencrypt all tracked files with the public key recipients.\n- Encrypt all tracked files (`--all`) that are decrypted in the repository.\n- Untrack a file (and optionally delete from the file system).\n- Encrypt/decrypt in dry-run to validate (handy en CI for checking).\n- Cat encrypted files to stdout.\n- Validate tracked files are encrypted and not decrypted (useful on CI, git hooks...).\n\nCheck the **Getting started** section for specific commands.\n\n## Keys\n\nAgebox supports the same asymmetric keys [Age] does:\n\n- X25519 (Age).\n- RSA SSH.\n- Ed25519 SSH.\n\n**Agebox knows how to discover keys in directories (recursively).**\n\n### Public keys\n\nThe public keys are the recipients of the encrypted files. With their respective private keys, users will be able to decrypt the files.\n\nPublic keys should be on a directory relative to the root of the repository (by default `./keys`) at the moment of invoking encryption commands, this simplifies the usage of keys by not requiring pgp keys or agents.\n\nAgebox will encrypt with the loaded public keys, this means that when we add or remove any public key we should `reencrypt` the tracked files.\n\nIn case you don't want to have all the public keys in all the repositories that are managed by agebox, you could centralize these keys in another repository andgetting them before invoking agebox. Some usage examples:\n\n- Git submodule `git pull --recurse-submodules`.\n- Git repo and previous agebox command invoke `git clone/pull`.\n- Download public keys from S3.\n\nYou can configure this with `--public-keys` flag or `AGEBOX_PUBLIC_KEYS` env var.\n\nYou can have multiple public keys in a file (one per line), like [Age recipients file](https://github.com/FiloSottile/age/#recipient-files).\n\n### Private keys\n\nBy default Agebox will try loading all the valid private keys from `HOME/.ssh`, however you can configure this with `--private-keys` flag or `AGEBOX_PRIVATE_KEYS` env var to point to specific directory with the keys (or a path to a single key).\n\n## Alternatives\n\n- [Blackbox]: Uses PGP (requires an agent), complex and sometimes has undesired side effects (e.g git commands execution).\n- [Sops]: Lots of features and very complex for simple use cases.\n- [Git-crypt]: Uses PGP (requires an agent), complex, 100% tied to Git.\n\n## Kudos\n\nThanks to [@FiloSottile](https://twitter.com/FiloSottile), [@Benjojo12](https://twitter.com/Benjojo12) and all the other [contributors](https://github.com/FiloSottile/age/graphs/contributors) of [Age].\n\nWithout [Age], [Agebox] would not exist.\n\n[agebox]: https://github.com/slok/agebox\n[age]: https://github.com/FiloSottile/age\n[blackbox]: https://github.com/StackExchange/blackbox\n[sops]: https://github.com/mozilla/sops\n[git-crypt]: https://github.com/AGWA/git-crypt\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fslok%2Fagebox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fslok%2Fagebox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fslok%2Fagebox/lists"}