scrt
is a command-line secret manager for developers, sysadmins and devops. scrt
aims to provide command-line users with a secure way of storing and retrieving secrets, while retaining control of the storage.
- Stateless command-line tool for Linux/Windows/Darwin
- All cryptography happens in the client: no passwords, keys or plaintext data over the wire, no key management included
- Key/value interface:
get
/set
/unset
- Configuration from command-line, configuration file or environment variables (no unexpected defaults!)
- Multiple backend choices:
- Local filesystem
- S3 (or S3-compatible object storage)
- More to come...
Download the latest finary release for your platform from the releases page. Decompress the archive to the desired location. E.g.
tar xzvf scrt_1.2.3_linux_x86_64.tar.gz
sudo cp scrt_1.2.3_linux_x86_64/scrt /usr/local/bin/scrt
Configure the apt repository:
echo "deb https://loderunner.github.io/scrt-apt /" | sudo tee /etc/apt/sources.list.d/scrt.list
curl "https://loderunner.github.io/scrt-apt/key.gpg" | sudo apt-key add -
Install the binary package:
sudo apt update
sudo apt install scrt
Configure the yum repository:
[scrt]
name=scrt
baseurl=https://loderunner.github.io/scrt-yum
repo_gpgcheck=1
gpgcheck=1
enabled=1
gpgkey=https://loderunner.github.io/scrt-yum/key.gpg
sslverify=1
metadata_expire=300
Install the binary package
sudo yum update
sudo yum install scrt
Configure the Homebrew tap:
brew tap loderunner/scrt
Install the binary package:
brew install scrt
Use go get
to download and build the latest version:
go get github.com/loderunner/scrt
scrt
will be available in the binaries directory of your GOPATH. Add it to your path, and run scrt
.
Clone the repository and use go build
to build a binary (requires go >= 1.16):
git clone https://github.com/loderunner/scrt.git
cd scrt
go build .
The built executable will be located at scrt
at the root of the repository.
Initialize a new store, with scrt init
.
scrt init --storage=local \
--password=p4ssw0rd \
--local-path=~/.scrt/store.scrt
# store initialized
This will create an empty store, in a store.scrt
file located in .scrt
inside your home directory. The file is encrypted using a secret key derived from the given password.
The content of the file is unreadable:
00000000 e0 97 af ea 86 f7 6a f0 82 06 47 8f fc 54 47 8e |......j...G..TG.|
00000010 89 f9 ca f4 00 98 24 f3 85 1e bd 85 e5 c1 66 43 |......$.......fC|
00000020 d8 5d 47 2b 99 b1 99 fa 2c 07 0a ec 8c 11 |.]G+....,.....|
Set your configuration in environment variables, so you don't have to type them out each time you run a command.
export SCRT_STORAGE=local
export SCRT_PASSWORD=p4ssw0rd
export SCRT_LOCAL_PATH=~/.scrt/store.scrt
Set and retrieve a value for a key using scrt set
and scrt get
.
scrt set hello 'World!'
scrt get hello
# Output: World!
The content of the file is still unreadable, but now contains your value:
00000000 1d cc 02 68 c0 e5 d4 a4 9d 8f ff 14 0c 3b 73 71 |...h.........;sq|
00000010 47 54 2a 78 d8 87 63 fd 29 dc b4 e4 72 c7 0e 57 |GT*x..c.)...r..W|
00000020 be 04 ba e9 7d 36 6d e1 64 47 e2 e2 c0 fb 83 30 |....}6m.dG.....0|
00000030 51 9e ad cf 15 d8 7e 35 77 1c 0c f1 70 be cb 91 |Q.....~5w...p...|
Use scrt --help
to output a full help message.
A secret manager for the command-line
Usage:
scrt [command]
Available Commands:
init Initialize a new store
set Associate a key to a value in a store
get Retrieve the value associated to key from a store
list List all the keys in a store
unset Remove the value associated to key in a store
storage List storage types and options
help Help about any command
Flags:
-c, --config string configuration file
-h, --help help for scrt
-p, --password string master password to unlock the store
--storage string storage type
-v, --version version for scrt
Use "scrt [command] --help" for more information about a command.
-c
, --config
: Path to a YAML Configuration file
--storage
: storage type, see Storage types for details.
-p
, --password
: password to the store. The argument will be used to derive a key, to decrypt and encrypt the data in the store.
In the following examples, these options will be sometimes omitted, as they can be configured using a configuration file or environment variables.
scrt storage
List all available storage types and options
scrt init [flags]
Initialize a new store. If an item is already present at the given location, the initialization will fail unless the --overwrite
option is set.
Create a store in a store.scrt
file in the local filesystem, in the current working directory, using the password "p4ssw0rd"
.
scrt init --storage=local --password=p4ssw0rd --local-path=./store.scrt
--overwrite
: when this flag is set, scrt
will overwrite the item at the given location, if it exists, instead of returning an error. If no item exists at the location, --overwrite
has no effect.
scrt set [flags] key [value]
Associate a value to a key in the store. If value
is omitted from the command
line, it will be read from standard input.
If a value is already set for key
, the command will fail unless the --overwrite
option is set.
Associate Hello World
to the key greeting
in the store, using implicit store configuration (configuration file or environment variables).
scrt set greeting "Hello World"
--overwrite
: when this flag is set, scrt
will overwrite the value for key
in the store, if it exists, instead of returning an error. If no value is associated to key
, --overwrite
has no effect.
scrt get [flags] key
Retrieve the value associated to the key in the store, if it exists. Returns an error if no value is associated to the key.
Retrieve the value associated to the key greeting
in the store, using implicit store configuration (configuration file or environment variables).
scrt get greeting
# Output: Hello World
scrt list
List all the keys in the store.
List all the keys in the store, using implicit store configuration (configuration file or environment variables).
scrt list
# Output: greeting
scrt unset [flags] key
Disassociate the value associated to a key in the store. If no value is associated to the key, does nothing.
Remove the value associated to the key. After this command, no value will be associated to the key greeting
in the store.
scrt unset greeting
Repeating the global options every time the scrt
command is invoked can be verbose. Also, some options–like the store password–shouldn't be used on the command line on a shared computer, to avoid security issues.
To prevent this, scrt
can be configured with a configuration file or using environment variables.
scrt
uses the following precedence order. Each item takes precedence over the item below it:
- flags
- environment variables
- configuration file
Configuration options can be considered to be chosen from "most explicit" (flags) to "least explicit" (configuration file).
The scrt
configuration file is a YAML file with the configuration options as keys.
Example:
storage: local
password: p4ssw0rd
local:
path: ~/.scrt/store.scrt
If the --config
option is given to the command-line, scrt
will try to load the configuration from a file at the given path. Otherwise, it looks for any file named .scrt
, .scrt.yml
or .scrt.yaml
in the current working directory, then recursively in the parent directory up to the root of the filesystem. If such a file is found, its values are loaded as configuration.
This can be useful in configuring the location of a store for a project, by adding a .scrt
file at the root of the project repository. scrt
can then be used in CI and other DevOps tools.
⚠️ Don't add the password to a configuration file in a public git repository!⚠️
Storage type (storage
) can be ignored in a configuration file. scrt
will read the configuration under the key for the storage type (e.g. local:
). Defining configurations for multiple storage types in a single file will result in undefined behavior.
Each global option has an environment variable counterpart. Environment variables use the same name as the configuration option, in uppercase letters, prefixed with SCRT_
.
storage
⇒SCRT_STORAGE
password
⇒SCRT_PASSWORD
local-path
⇒SCRT_LOCAL_PATH
To configure a default store on your system, add the following to your .bashrc
file (if using bash
):
export SCRT_STORAGE=local
export SCRT_PASSWORD=p4ssw0rd
export SCRT_LOCAL_PATH=~/.scrt/store.scrt
Refer to your shell interpreter's documentation to set environment variables if you don't use
bash
(zsh
,dash
,tcsh
, etc.)
Local:
local store secrets to local filesystem
Flags:
--local-path string path to the store in the local filesystem
S3:
s3 store secrets to AWS S3 or S3-compatible object storage
Flags:
--s3-bucket-name string name of the S3 bucket
--s3-endpoint-url string override default S3 endpoint URL
--s3-key string path of the store object in the bucket
--s3-region string region of the S3 storage
scrt
supports various storage backends, independent of the secrets engine. Each storage type has a name, and configuration options vary according to the chosen type.
Storage types may support additional options. See the documentation below for details.
Use the local
storage type to create and access a store on your local filesystem.
Example:
scrt init --storage=local --password=p4ssw0rd --local-path=/tmp/store.scrt
--local-path
: the path to the store file on the local filesystem.
Use the s3
storage type to create and access a store using AWS S3 or any compatible object storage (such as MinIO).
Example:
scrt init --storage=s3 \
--password=p4ssw0rd \
--s3-bucket-name=scrt-bucket \
--s3-key=/store.scrt
scrt
uses your AWS configuration (config files, environment variables) if it can be found.
--s3-bucket-name
: the name of the bucket to save to store to
--s3-key
: the key to the store object
--s3-region
: set the region for the S3 bucket
--s3-endpoint-url
: when using an S3-compatible object storage other than AWS, scrt
requires the URL of the S3 API endpoint. Can be configured in the configuration file, or with the SCRT_S3_ENDPOINT_URL
environment variable.
Nobody knows. It's either "secret" without the e's; or "skrrt" like a Migos ad-lib.
scrt
relies on the industry-standard AES symmetric encryption algorithm with 256-bit keys, with GCM mode of operation (AES-256-GCM, in OpenSSL parlance).
The encryption keys are derived from the password using the Argon2id key derivation function. A new random salt is used every time the store is written to, preventing reuse of existing cryptographic keys.
scrt
does not save keys in the store, nor does it transfer any plaintext over the wire. All decryption and encryption happens on your computer while the program is running. This is the only way to provide full privacy and zero-trust security.
The downside to this is that the entire store must be loaded into memory, possibly downloading it through the network, decrypted, and possibly reencrypted (on a mutating operation like set
or unset
) every time you run scrt
. If the size of your store becomes an issue, there are workarounds like splitting your store into multiple stores, or downloading the entire store to the local filesystem before using it.
I've got some good news and some bad news.
The bad news: you're doomed. Your secrets are encrypted with a key that can only be derived from your password. scrt
does not store or manage keys. There is no way to recover your secrets without your password.
The good news: you probably won't lose your password again.