Though we discourage users from applying requirements like minimum 1 symbol (as it decreases the entropy of the generated password), we do not control the password requirements of third party applications our users store and generate passwords for.

And those requirements can be super wacky:

To support those password requirements in a relatively simple way, we've come up with three flags:

--include  <charset> Include given characters in the set of characters to randomly choose a password from. Defaults to alphanumeric. As the password is randomly chosen, it is not ensured that the password will always contain at least one character from the given character set. Use --min for that. 

--exclude <charset>  Ensure the password does not contain any characters from the given character set. 

--min  <charset>:<n> Ensure that the resulting password contains at least n characters from the given character set.

The supported character sets are as follows:

alphanumeric    = a-zA-Z0-9
symbols         = !@#$%^*-_+=.,?
similar         = iIlL1oO0
numeric         = 0-9
letters         = a-zA-Z
lowercase       = a-z
uppercase       = A-Z 

A few notes on the character sets:

• As numeric is a bit less generic, we could have aliases for numbers, number, and digits?
• I think the similar set should also include the nine and the lowercase G: 9g. This requires a change to the randchar library though.

A few examples of usage are:

$ secrethub generate --include symbols
$ secrethub generate --include symbols --exclude similar
$ secrethub generate --min symbols:2 --min numeric:1

Rules are as follows:

• --include and --min are are mutually exclusive with --exclude, meaning you can't have both --include symbols --exclude symbols or --exclude symbols --min symbols:1.
• --min symbols automatically also adds --include symbols.
• --min symbols:0 automatically adds --include symbols, but does not impose a minimum constraint

Also, the help text of the secrethub generate command should include something about the security implications of constraints. See the package comments of the randchar package:

However, note that the strongest passwords are the ones with
the least requirements. Imposing e.g. a minimum requirement
on generated passwords reduces the entropy of the resulting
password. So when possible, avoid using any constraints.

And finally, the docs texts could use a little work.

The spec is still a bit of a work in progress, so feedback is welcome.

Not every environment handles piping nicely and we cannot predict how users will use our CLI. For instance, a docker container with the secrethub binary as entrypoint cannot accept piped content (without workarounds).

Proposed docs changes

The write docs would change by adding this flag:

-i, --input-file (string)

   Use the contents of a file as secret input. 

And the order in which the command reads the secret from different inputs would change to:

1. --input-file OR --clip. These two are mutually exclusive and should error when both are set.
2. If input is piped, read from stdin
3. If no other input is given, ask the user to type in the secret

When creating a full tree for a new project, it is often needed to create nested directories. To be able to do so without having to do a lot of monkey work, let's add a --parents flag to the mkdir command that creates the parent directories as well when these do not exist yet.

This flag would work exactly as the --parents flag on the unix mkdir command works; It will create the parent directories as well when these do not exist yet and it will not error when all directories already exist.

-p, --parents (bool)

   make parent directories as needed

Like echo -n foo we could have: secrethub read -n path/to/secret.

There are many scenarios where some secrets could be missing at a given time and I would like to silently ignore it so that the cli does not emit the following message:
Encountered an error: Secret not found (server.secret_not_found)

Description:

--silent
Silent or quiet mode. Don't show error messages.

Issue

When I use a custom config directory, I get the error message:

Encountered an error: could not find credential file. Run `secrethub signup` to create an account.

However, when I specify the credential file directly from the config directory, it seems to work.

Reproduction Steps

# secrethub --version
secrethub version 0.34.0, build 549b444

# echo $SECRETHUB_CONFIG_DIR
/user/config/.secrethub

# secrethub read example/secret
Encountered an error: could not find credential file. Run `secrethub signup` to create an account.
# secrethub --config-dir='/user/config/.secrethub' read example/secret
Encountered an error: could not find credential file. Run `secrethub signup` to create an account. 

# secrethub --credential=`cat $SECRETHUB_CONFIG_DIR/credential` read example/secret
success

Expected Outcome

secrethub should respect the config directory settings, and find/read the credential file in the config directory.

Investigation Notes

I tried looking in https://github.com/secrethub/secrethub-go/blob/4b34720c13328528a5db7fc1c588b8e4c2b6b451/pkg/secrethub/configdir/dir.go#L36-L58, and it seems like it should do the expected thing -- so I'm super stumped.

I've also made sure it isn't a UNIX permission issue with the credential file, since I used root to perform the reproduction steps.

Would be nice if the run command would not look for the credential if the .env file doesn't specify any secrets. If they're not there, then why bother looking for the credential?

To still be able to validate the credential (existence) upfront, a command secrethub validate-credential could be added.

when using curl https://apt.secrethub.io | bash i received the following error

Err:1 https://apt.secrethub.io stable InRelease
  The following signatures were invalid: EXPKEYSIG 425F7AB667B0B1D8 SecretHub <[email protected]>
Reading package lists... Done
W: GPG error: https://apt.secrethub.io stable InRelease: The following signatures were invalid: EXPKEYSIG 425F7AB667B0B1D8 SecretHub <[email protected]>
E: The repository 'https://apt.secrethub.io stable InRelease' is not signed.

I have looked everywhere in the docs for how to get this env-var and I didn't find anything.

I tried: secrethub run -- echo $SECRETHUB_CREDENTIAL
but it doesn't print it.

as far as I understand, I need it to integrate with github-actions (https://github.com/marketplace/actions/secrethub#usage)

on: push
jobs:
  notify-slack:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: secrethub/actions/[email protected]
        env:
          SECRETHUB_CREDENTIAL: ${{ secrets.SECRETHUB_CREDENTIAL }}.  <<----- How do I get it???
          SLACK_WEBHOOK: secrethub://company/app/slack/webhook
      - name: Print environment with masked secrets
        run: printenv
      - name: Notify Slack
        # This action expects SLACK_WEBHOOK to be set, which is now done automatically
        uses: Ilshidur/[email protected]
        with:
          args: Sent from GitHub Actions with secrets from SecretHub 🔑

I am unable to perform the migration as OP_SESSION variable is always empty

$ eval $(op signin)
$ secrethub migrate plan ###
Encountered an error: OP_SESSION environment variable not found, run `eval $(op signin)` to set one

cli versions:

$ secrethub -v
secrethub version 0.44.0, build d29a942
$ op -v
2.7.1

We have the --clip flag in the read command and it makes a lot of sense to add it to the generate command too.

  -c, --clip  Copy the secret value to the clipboard. The clipboard is
              automatically cleared after 45 seconds.

There's actually already a TODO comment in the code.

Hello,
I'm trying do build multiarch docker images but i think no arm64 package is available for alpine:

apk add --repository https://alpine.secrethub.io/alpine/edge/main --allow-untrusted secrethub-cli
#8 0.388 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/aarch64/APKINDEX.tar.gz                                                                                               
#8 1.257 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/aarch64/APKINDEX.tar.gz                                                                                          
#8 2.455 v3.13.6-28-g0fb6231dad [https://dl-cdn.alpinelinux.org/alpine/v3.13/main]                                                                                                    
#8 2.455 v3.13.6-29-g6b33ef5588 [https://dl-cdn.alpinelinux.org/alpine/v3.13/community]
#8 2.455 OK: 13736 distinct packages available
#8 4.042 OK: 5 MiB in 14 packages
#8 4.218 fetch https://alpine.secrethub.io/alpine/edge/main/aarch64/APKINDEX.tar.gz
#8 4.602 ERROR: https://alpine.secrethub.io/alpine/edge/main: No such file or directory
#8 4.603 WARNING: Ignoring https://alpine.secrethub.io/alpine/edge/main: No such file or directory
#8 6.077 ERROR: unable to select packages:
#8 6.243   secrethub-cli (no such package):
#8 6.243     required by: world[secrethub-cli]

this works fine for amd64

I've been sing secrethub for a while now and keep intermittently coming across these issues and have never found the source nor managed to fix them, resorting to copy and pasting manually as a workaround.

When I use the secrethub write -c I get the following error:

Encountered an error: cannot read from clipboard: No clipboard utilities available. Please install xsel, xclip, wl-clipboard or Termux:API add-on for termux-clipboard-get/set. (clipboard.cannot_read) 

I actually have both xsel and xclip installed. I've tried uninstalling one to see if it was a conflict of sorts, but received the same error.

When I use the secrethub write -i I get the following error:

Encountered an error: could not read the input file <file name here>: open <file name here>: permission denied (secrethub.in_file_read_error) 

I've tried setting 777 permissions on the file in question and I still get this issue.

This is happening on Ubuntu 20.04.1 LTS, using the secrethub-clisnap.

secrethub --version gives: secrethub version 0.34.0, build 549b444

I've done a lot of googling and have been unable to find anything online or in the SecretHub docmentation. I hope we can get to the bottom of this, as it's a real pain having to copy and paste manually at the moment.

EDIT:

I've discovered that this ONLY occurs on the snap version. The same commands using the secrethub-cli downloaded from APT worked first time.

When using a template from a file (which is the large majority of use-cases), you currently have to cat the file and pipe it to the inject command:

cat env.tpl | secrethub inject

Like with #35, not all environments work nicely with pipes. For example, in a docker image, we prefer a single call to a binary over the shell form of the command.

Therefore, I propose to add a --template-file flag that can be used as an alternative input to stdin.

--template-file (string)

   Use the contents of a file as template. 

And the order in which the command reads the template from different inputs would change to:

1. --template-file
2. If input is piped, read from stdin
3. Error if no other input is given

In #103 (comment) @mackenbach suggested to accept this template input {{{ path/to/secret }}} and render it as follows: {secret value}.

Currently this returns an error, as the first two brackets ({{) open the secret tag and so the third bracket is invalid, as a bracket is not an allowed character in a secret path. To get the {secret value} output, you'd have to use \{{{ path/to/secret }}}.

I'm using Termux for a handheld development environment on an Android phone and trying to install SecretHub via NPM failed with this message:
No SecretHub binary found for OS 'android'.

Hi, I think that the deployment process of the @secrethub/cli npm-package may has a bug:

$ npx @secrethub/cli
npx: command not found: cli

Up until now, I used yarn1 and downloaded @secrethub/cli to the project. I couldn't run it like: yarn secrethub because of the bug above, so as a workaround, I specified the full path from the node_modules: yarn node_modules/.bin/secrethub. All good.

After moving to yarn2 as a package-manager, I don't have node_modules anymore, so I must do one of the following:

1. yarn secrethub - throw an error. it maybe related to the error above with npx.
2. yarn dlx @secrethub/cli - same error as npx.
3. npx @secrethub/cli - as you saw above.

Workaround: is to install secrethub from other package-manager: apk/apt-get

More info:

This is the package.json of @secrethub/cli (which I couldn't find in your organization. I found it in the node_modules when using yarn1)

{
  "name": "@secrethub/cli",
  "scripts": {
    "preinstall": "node install.js"
  },
  "bin": {
    "secrethub": "./bin/secrethub"           <<<<<<<<<----
  },
  "author": "SecretHub <[email protected]> (https://secrethub.io)",
  "homepage": "https://secrethub.io",
  "repository": "github:secrethub/secrethub-cli",
  "description": "A secrets management platform that every engineer can use with minimal code changes.",
  "keywords": [
    "secrets management",
    "devops",
    "devsecops",
    "end-to-end encryption"
  ],
  "dependencies": {
    "axios": "^0.19.2",
    "tar": "^6.0.2",
    "unzipper": "^0.10.11"
  },
  "devDependencies": {},
  "license": "Apache-2.0",
  "version": "0.41.2"
}

Something maybe wrong in ./bin/secrethub.

The following command fails for me on macos:

➜  ~ brew install secrethub/tools/secrethub-cli
Error: secrethub/tools/secrethub-cli: Calling bottle :unneeded is disabled! There is no replacement.
Please report this issue to the secrethub/tools tap (not Homebrew/brew or Homebrew/core):
  /opt/homebrew/Library/Taps/secrethub/homebrew-tools/Formula/secrethub-cli.rb:6

https://signup.secrethub.io/install

When following these instructions from the above page:

brew install secrethub/tools/secrethub-cli
secrethub init --setup-code xx-xxx-xxxx-xxx-xx

I get the following error:

Encountered an error: unknown long flag '--setup-code'

My system is:
Mac OS Big Sur
11.2.1 (20D75)

My cli version is:
secrethub version 0.39.0, build cd99b29

I was unable to install and proceed using the service.

If a user has é in his passphrase, caching of the passphrase with the OS's keyring breaks on MacOS. The following error message is returned:

Encountered an error: cannot get passphrase from keyring: invalid character 'b' after top-level value (secrethub.cannot_get_keyring)`.

This might have something to do with the keyring returning a non-UTF-8-encoded string when this character is used, which breaks the json decoding of the stored value.

We'd like to distribute the CLI via package managers, so that it can be easily installed using the package manager you are used to.
e.g.

brew install secrethub

We'd like to support at least:

• brew
• snap

Other package managers we are considering are:

• apk
• choco
• apt-get
• yum
• scoop
• pacman/Arch User Repository
• NPM

We might add other package managers to this list. Please let us know if there's another package manager in which you'd like us to distribute the CLI.

Currently, the secrethub migrate commands require 1Password CLI version 1 to be installed. Now that 1Password CLI 2.0 is in Early Access, the migration commands should support both versions, so that you can install the 1Password v2 beta CLI and use that for the migration from SecretHub to 1Password.

I'm seeing this now, your call to pick it up or not, but why are we printing out generating...writing...write complete? If we want to print anything out, would generating... generate complete be sufficient?

Originally posted by @mackenbach in https://github.com/_render_node/MDIzOlB1bGxSZXF1ZXN0UmV2aWV3VGhyZWFkMjAxMTMxMzgxOnYy/pull_request_review_threads/discussion

Hey there, so I have been reading the documentation and I havent found a way to dump a list of variables already set in my .env file as childs of a secrets directory in my account. There is an option called -i but this dumps a full .env file in one child, but I am talking about adding each variable of the file as child in the tree, either considering some tree structure from the var names (it would be the reverse implementation of the proposal in #286) or just add each var as direct child. It could be added as a --dump option in the write command:

secrethub write -d/--dump path/to/env/file path/to/secrethub/dir

Example

// .env file
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
DB_USERNAME
DB_PASSWORD

would map to

org/repo/my-app/
    aws/
        access_key_id
        secret_access_key
    db/
        username
        password

What do you think?

Hello :)

Not sure if it's the right place to put this issue (or if it's on your end).

Since Friday 18 February, we have issue using Secrethub in our CI (github actions). This is due to an error when using the script from https://apt.secrethub.io/ (which is the script given in the doc https://secrethub.io/docs/reference/cli/install/).

The error is "File has unexpected size (402 != 400). Mirror sync in progress?"

Therefore I am not sure if we just need to wait a couple more days for the mirror to sync (but it seems a long time to me)

Waiting for your answer :)
(and sorry again if it's not the right place ;) )

How to reproduce

Create a new docker using ubuntu latest and run a bash terminal.

docker run -i -t ubuntu:latest /bin/bash

Then in the bash, follow the instructions stated in https://apt.secrethub.io/

apt-get update && apt-get install -y curl gnupg2
curl -fsSL https://apt.secrethub.io/pub | apt-key add -
echo "deb https://apt.secrethub.io stable main" > /etc/apt/sources.list.d/secrethub.sources.list && apt-get update
apt-get install -y secrethub-cli

You should see an error during the apt-get update of the 3rd line.

Log

root@d2fd2cbabb36:/# apt-get update
Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Get:3 https://apt.secrethub.io stable InRelease [2679 B]
Hit:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:5 http://security.ubuntu.com/ubuntu focal-security InRelease
Get:6 https://apt.secrethub.io stable/main amd64 Packages [400 B]
Err:6 https://apt.secrethub.io stable/main amd64 Packages
  File has unexpected size (402 != 400). Mirror sync in progress? [IP: 13.32.145.117 443]
  Hashes of expected file:
   - Filesize:400 [weak]
   - SHA256:f7c0d9e046bae66ed02bada097ca5036756bc0cb8faab1ba875fc7aed1e04be8
   - SHA1:6e13648d9fb5d9c39b86d9095edc3e428e66c6de [weak]
   - MD5Sum:06a2e516db468ac83df0d52b4aae352b [weak]
  Release file created at: Thu, 26 Aug 2021 18:55:48 +0000
Fetched 2679 B in 1s (2821 B/s)
Reading package lists... Done
E: Failed to fetch https://apt.secrethub.io/dists/stable/main/binary-amd64/Packages.gz  File has unexpected size (402 != 400). Mirror sync in progress? [IP: 13.32.145.117 443]
   Hashes of expected file:
    - Filesize:400 [weak]
    - SHA256:f7c0d9e046bae66ed02bada097ca5036756bc0cb8faab1ba875fc7aed1e04be8
    - SHA1:6e13648d9fb5d9c39b86d9095edc3e428e66c6de [weak]
    - MD5Sum:06a2e516db468ac83df0d52b4aae352b [weak]
   Release file created at: Thu, 26 Aug 2021 18:55:48 +0000
E: Some index files failed to download. They have been ignored, or old ones used instead.

I would like to use secrethub on arm machines. Currently this gives an exec format error.
With goreleaser this should be trivial right?

-bash: /usr/local/bin/secrethub: cannot execute binary file: Exec format error

Used the secrethub CLI to generate the migration plan but have the following error applying it:

op --version 2.9.1
secrethub --version 0.43.0, build 3962e85

secrethub migrate apply --plan-file=./1password-migration-plan.yml
[1/5] Checking vault: creds-keys
[ERROR] 2022/12/07 08:42:11 unknown command "list" for "op"
Usage:  op [command] [flags]

Management Commands:
  account     Manage your locally configured 1Password accounts
  connect     Manage Connect instances and Connect tokens in your 1Password account
  document    Perform CRUD operations on Document items in your vaults
  events-api  Manage Events API integrations in your 1Password account
  group       Manage the groups in your 1Password account
  item        Perform CRUD operations on the 1Password items in your vaults
  plugin      Manage the shell plugins you use to authenticate third-party CLIs
  user        Manage users within this 1Password account
  vault       Manage permissions and perform CRUD operations on your 1Password vaults

Commands:
  completion  Generate shell completion information
  inject      Inject secrets into a config file
  read        Read a secret using the secrets reference syntax
  run         Pass secrets as environment variables to a process
  signin      Sign in to a 1Password account
  signout     Sign out of a 1Password account
  update      Check for and download updates.
  whoami      Get information about a signed-in account

Global Flags:
      --account account    Select the account to execute the command by account shorthand, sign-in address, account ID, or user ID. For a list
                           of available accounts, run 'op account list'. Can be set as the OP_ACCOUNT environment variable.
      --cache              Store and use cached information. Cache is enabled by default. The cache is not available on Windows. (default true)
      --config directory   Use this configuration directory.
      --debug              Enable debug mode. Can also be enabled by setting the OP_DEBUG environment variable to true.
      --encoding type      Use this character encoding type. Default: UTF-8. Supported: SHIFT_JIS, gbk.
      --format string      Use this output format. Can be 'human-readable' or 'json'. Can be set as the OP_FORMAT environment variable.
                           (default "human-readable")
  -h, --help               Get help for op.
      --iso-timestamps     Format timestamps according to ISO 8601 / RFC 3339. Can be set as the OP_ISO_TIMESTAMPS environment variable.
      --no-color           Print output without color.
      --session token      Authenticate with this session token. 1Password CLI outputs session tokens for successful 'op signin' commands when
                           1Password app integration is not enabled.

Run 'op [command] --help' for more information on the command.
Encountered an error: could not check vault existence: could not list vaults: 1password: op list vaults: exit status 1

Currently, a secrethub.env file has to be created to easily map multiple secrets to environment variables when using secrethub run.

However, in many cases the names of secrets already describe the names of the environment variables they should be mounted to. By adding the --secrets-dir path/to/dir flag, you could easily map load all secrets to the environment.

The mapping could follow a default set of rules, e.g. replace dirs (/) with _ etc. This could drastically decrease the setup time needed, as no templates need to be written.

Example

This tree:

org/repo/my-app/
    aws/
        access_key_id
        secret_access_key
    db/
        username
        password

Would map to:

AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
DB_USERNAME
DB_PASSWORD

by running:

secrethub run --secrets-dir=org/repo/my-app/ -- node app.js

Can we create an alias --description and --descr for this? I find myself typing it wrong every time. --description should also be the default if you ask me.

Originally posted by @mackenbach in #138

Encountered Behavior

When the subcommand of run writes to both stdout and stderr and secret masking is enabled, the output of stdout and stderr is mixed, resulting in potentially unreadable output.

When wrapping this example in secrethub run the output can be any of these:
123
213
132

Expected Behavior

When the subcommand writes to both stdout and stderr, the order in which is written to the two of these is preserved.

When wrapping this example in secrethub run the output is always 123.