Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/angt/secret
A tiny secret store to keep your little secrets
https://github.com/angt/secret
c crypto hacktoberfest keyring password-store secret storage
Last synced: about 1 month ago
JSON representation
A tiny secret store to keep your little secrets
- Host: GitHub
- URL: https://github.com/angt/secret
- Owner: angt
- License: bsd-2-clause
- Created: 2020-04-24T06:44:07.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2023-05-24T10:51:29.000Z (over 1 year ago)
- Last Synced: 2024-08-01T22:42:47.081Z (4 months ago)
- Topics: c, crypto, hacktoberfest, keyring, password-store, secret, storage
- Language: C
- Homepage:
- Size: 108 KB
- Stars: 60
- Watchers: 7
- Forks: 5
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-repositories - angt/secret - A tiny secret store to keep your little secrets (C)
README
# secret
A simple and tiny tool that will help you keep your little secrets.
## Features
`secret` is the simplest secret store you can think of.
But it does have some interesting features:- Requires only one file `~/.secret` that you can share publicly without fear.
- No configuration. No directory. Get back your file and you're done.
- Secret names (usually hostname, mail, login, etc.) are also encrypted.
- A secret agent that only trusts subprocesses. Not all the processes of the same user!
- Secret names completion is available after calling the secret agent.
- Supports unstored secrets. Derived from some simple keys and a passphrase.
- Supports multiple passphrases. A confirmation is requested for each new passphrase.
- Supports TOTP natively. The name must contain the word `totp`.
- Depends only on the [libhydrogen](https://libhydrogen.org/) library.
- Small, simple and non obfuscated C code. Well, I hope so :)## Security
The main goal is to have `secret` working on all architectures and to make it very simple to audit.
Luckily, permutation-based cryptography has arrived and makes it possible to achieve this goal with very little code.
In 2020, using a bloated library full of CVEs will not have been reasonable considering the major advances in this field.Only one cryptographic building block is used, the [Gimli](https://gimli.cr.yp.to/gimli-20170627.pdf) permutation.
All cryptographic operations are derived from this permutation and implemented in the [libhydrogen](https://libhydrogen.org/) library.## Install
### Homebrew
You can simply install `secret` from my [Homebrew Tap](https://github.com/angt/homebrew-tap):
$ brew install angt/tap/secret
### Build from source
This should work on a wide variety of architectures and POSIX systems.
It was successfully tested on Linux, OpenBSD, FreeBSD and MacOS.Clone the repository recursively:
$ git clone https://github.com/angt/secret --recursive
$ cd secretThen, run as `root`:
# make install
As usual, you can customize the destination with `DESTDIR` and `prefix`.
Typically if you want to change the default `/usr/local` prefix:# make prefix=/usr install
### Tab completion
Tab completion works with `bash`, `zsh` and `yash`.
Unfortunately, it doesn't work out of the box, you have to setup it manually.
Luckily, it's super easy!Download the file corresponding to your shell:
- [argz.bash](https://raw.githubusercontent.com/angt/argz/master/comp/argz.bash)
- [argz.yash](https://raw.githubusercontent.com/angt/argz/master/comp/argz.yash)
- [argz.zsh](https://raw.githubusercontent.com/angt/argz/master/comp/argz.zsh)Then, for `bash`, you can add these lines in your `.bashrc`:
. YOUR_PATH_TO/argz.bash
complete -F _argz secret
For `yash`, in your `.yashrc`:
. YOUR_PATH_TO/argz.yash
function completion/secret {
command -f completion//reexecute argz
}And finally, for `zsh`, in your `.zshrc`:
. YOUR_PATH_TO/argz.zsh
compdef _argz secret
Completion for secrets is only available in a trusted shell. See below.
## Commands
Available commands:
init Initialize secret for the current user
list List all secrets for a given passphrase
show Print a secret
new Generate a new random secret
set Set a new secret
renew Regenerate an existing secret
update Update an existing secret
pass Print a deterministic secret
agent Run a process in a trusted zone
version Show versionAll secrets are encrypted in the file `~/.secret`.
You can use a different file with the `SECRET_STORE` environment variable:$ env SECRET_STORE= secret ...
## Examples
Initialize secret for the current user:
$ secret init
Add a new randomly generated secret:
$ secret new test
Passphrase:
No secrets stored with this passphrase.
Please, retype it to confirm:
/xK;{%@d~hPh.L'5-Sn{sBQd5Show the secret:
$ secret show test
Passphrase:
/xK;{%@d~hPh.L'5-Sn{sBQd5Rename a secret, press ENTER to not change it:
$ secret update test test2
Passphrase:
Secret:$ secret show test2
Passphrase:
/xK;{%@d~hPh.L'5-Sn{sBQd5Pipe a secret:
$ secret show test2 | tr -cd [a-z] | secret update test2
Passphrase:
Passphrase:$ secret show test2
Passphrase:
xdhhnsdAdd a TOTP token:
$ echo -n JBSWY3DPEHPK3PXP | base32 -d | secret set test/totp
Passphrase:$ secret show test/totp
Passphrase:
$ 123456Derive a deterministic (a.k.a. unstored) secret:
$ secret pass [email protected]
Passphrase:
a`4$B2mJ=|"HD?b4:/y"?wOaQSubkeys are also supported, this allows to update your secret in a clean way:
$ secret pass [email protected] 2020
Passphrase:
F"1j;-X]t.Pi>.xf5hG,]dUMzAdd a binary secret:
$ dd if=/dev/urandom bs=1 count=32 2>/dev/null | secret set mykey
Passphrase:$ secret show mykey | xxd
Passphrase:
00000000: 0ee9 cdb3 de0a 3e71 b623 726d 5d7e eb23 ......>q.#rm]~.#
00000010: 5b43 a458 3fb7 3b96 ea9b 6e47 d302 cae7 [C.X?.;...nG....Start a trusted zone:
$ secret agent
Passphrase:Now, the passphrase is not requested and completion fully works!
If you don't use `bash` but still want completion,
run `secret agent ` or (much better) send a PR to add support for your shiny shell :)---
For feature requests and bug reports,
please create an [issue](https://github.com/angt/secret/issues).