{"id":23469900,"url":"https://github.com/vapor-ware/sctl","last_synced_at":"2025-04-14T16:33:48.155Z","repository":{"id":45444721,"uuid":"184498802","full_name":"vapor-ware/sctl","owner":"vapor-ware","description":"SCTL is not End2End encryption, instead SCTL is more of an envelope, in which you store secrets until they are needed, and those secrets should only remain available in plain text while the operation that needs them is active.","archived":false,"fork":false,"pushed_at":"2023-03-16T18:07:43.000Z","size":245,"stargazers_count":8,"open_issues_count":16,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-21T22:03:07.850Z","etag":null,"topics":["envelope","kms","sctl","secrets","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vapor-ware.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-05-02T00:19:31.000Z","updated_at":"2021-12-13T17:41:33.000Z","dependencies_parsed_at":"2024-06-19T22:51:17.048Z","dependency_job_id":"0ad55d2b-915c-444a-af8a-d39fdcd0185b","html_url":"https://github.com/vapor-ware/sctl","commit_stats":null,"previous_names":[],"tags_count":32,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vapor-ware%2Fsctl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vapor-ware%2Fsctl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vapor-ware%2Fsctl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vapor-ware%2Fsctl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vapor-ware","download_url":"https://codeload.github.com/vapor-ware/sctl/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248916608,"owners_count":21182838,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["envelope","kms","sctl","secrets","security"],"created_at":"2024-12-24T15:36:48.815Z","updated_at":"2025-04-14T16:33:48.131Z","avatar_url":"https://github.com/vapor-ware.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Scuttle\n\n/ˈskədl/\n\n\n\u003cimg src=\"sctl.svg\" width=\"150\" height=\"150\" alt=\"sctl - pronounced scuttle\" /\u003e\n\nIcon made by [Gregor Cresnar](https://www.flaticon.com/authors/gregor-cresnar) from www.flaticon.com\n\n## About Scuttle\n\nScuttle aims to help you prevent security breaches by keeping secrets out of\nSCM in plain text. If you operate on Google Cloud, you don't have a lot of\noptions available to you out of the gate for managing secrets.\n\nScuttle uses KMS keys, and IAM policy to enforce the level of trust you need\nat your trust boundaries. No plain text is stored in the repository, only cipher\ntext that is decryptable with an IAM user that has the appropriate permissions.\n\nSCTL is not End2End encryption, instead SCTL is more of an envelope, in which\nyou store secrets until they are needed, and those secrets should only remain\navailable in plain text while the operation that needs them is active.\n\n#### Why the name scuttle?\n\nIt's less interesting than you think. I'm a fan of short cli commands, and\nsctl is short hand for \"secrets-ctl\", which when pronounced out loud sounds\nlike \"scuddle\" (i'm a kube cuddle person) - ergo: \"scuttle\".\n\n\n### Installation\n\n**Homebrew**:\n\n\u003e Currently only x86 linux/mac are supported.\n\nInstall sctl\n```\nbrew tap vapor-ware/formula\nbrew install vapor-ware/formula/sctl\n```\n\n**Snap Packages**:\n\u003e We tried snaps, at this time its not a suitable release channel for sctl.\n\u003e We are open to attempting again in the future.\n\n**Pipeline Releases**:\n\n\u003e Currently only x86 arch, linux/mac/windows are published.\n\nDownload the latest stable release from the [Releases](https://github.com/vapor-ware/sctl/releases)\nlisting for your platform/arch.\n\nUntarball the release `tar xvfz sctl_version_Linux_x86_64.tar.gz`\n\nInstall the `sctl` binary somewhere in $PATH, eg:\n\n`sudo install sctl /usr/local/bin/sctl` - this will move the binary to `/usr/local/bin/sctl` and chmod the binary 755\n\n**From Source**:\n\nYou'll need at least go 1.11 (for go modules), a valid `$GOPATH`, and should have the GOPATH\nbin path appended to `$PATH`\n\n```\ngo get -u github.com/vapor-ware/sctl\n```\n\n\n### Configuration\n\nConfiguration consists of 2 steps:\n\n\n#### Authentication\nYou can configure sctl's authentication in one of two ways.\n\n1) `GOOGLE_APPLICATION_CREDENTIALS` - via env. You set this environment variable to a filepath containing your credentials. Which can be any serviceAccount or authorized User for example.\n\n2) `sctl credential add` will prompt you for a client configuration JSON. Ask your sctl administrator to provide this value if you're unsure what to enter. Once input, a link will be output to your terminal to visit. Open the link, log in to google, and Grant sctl's KMS scope authentication request. This will redirect you to a temporary http server which will finish your authentication.\n\n#### Key Configuration\n\nOptionally, you may set an ENV var to provide the value for your key parameter. This is useful if you\nwork in a small department and use the same key consistently. Otherwise this step may be skipped and you can pass the `--key` flag to any command that supports it.\n \n```\nexport SCTL_KEY=projects/my-project/locations/us/keyRings/my-keyring/cryptoKeys/my-key\n```\n\n### Usage\n\nTo get help with any command and show usage details, sctl responds to the `--help`\nflag, or simply run sctl without any arguments.\n\n```\n$ sctl add foo\nEnter the data you want to encrypt. END with CTRL+D\nbar\n$ sctl list\nFOO\n$ cat .scuttle.json\n[\n {\n  \"name\": \"FOO\",\n  \"cypher\": \"CiQArcZm2GES73oHpipKV3UHUyFOUkPvWADrV/H6IssOIfVuh9wSKwDujG3UyRBnTFqciamPsK0x8UIaq6kzsYlhPoA9YHCzh0pd3KOJFpkvQqI=\",\n  \"created\": \"2019-05-01T19:08:58.959335955-05:00\"\n  \"encoding\": \"base64\"\n }\n]\n# sctl run helmfile diff\n```\n\nKey decryption is simple:\n```\n$ sctl read foo\nbar\n```\n\n\n\n### Rotate state / re-key\n\nAs you deprecate/disable older KMS key revisions, it can be prudent to migrate\na statefile of encrypted secrets. This can be a daunting task if undertaken one\nby one. To ease the migration between versions (and different keys). The re-key\nfunction was introduced in 1.0.0.\n\n```\nsctl re-key --newKey projects/new-project/locations/us/keyRings/new-keyring/cryptoKeys/new-key\n\nRotated entry for FOO\nRotated entry for BAR\n```\n\nNote: this operation attempts to be ATOMIC, and if an error occurs, the state\nmay be incompletely translated. This can be confirmed if the sctl state file\nis versioned in VCS where you can easily diff the contents.\n\nNote: the base64 data, and createdOn date's should be different if the entry\nwas updated.\n\n## Acknowledgements\n\nSeveral tools like this have come before; sctl offers a polite hat-tip to\n- [99designs/aws-vault](https://github.com/99designs/aws-vault)\n- [bitnami/sealed-secrets](https://github.com/bitnami/sealed-secrets)\n\n## Reference Reading\n\n- [Create Symmetric KMS Keys](https://cloud.google.com/kms/docs/creating-keys)\n- [Encrypt/Decrypt with a symmetric CloudKMS Key](https://cloud.google.com/kms/docs/encrypt-decrypt)\n- [Secret Storage with Cloud KMS](https://cloud.google.com/kms/docs/store-secrets)\n- [Cloud KMS Roles](https://cloud.google.com/iam/docs/understanding-roles#cloud-kms-roles)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvapor-ware%2Fsctl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvapor-ware%2Fsctl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvapor-ware%2Fsctl/lists"}