Spawn environments from securely stored secrets.
With so many secrets floating around in our modern lives, it's a wonder we're able to keep track of any of them!
vaulted
allows you to create vaults of related secrets and then spawn
sessions with these secrets. Vaults can contain secure environment
variables, AWS credentials, or SSH keys (RSA, DSA, & ECDSA).
vaulted
also attempts to insulate spawned environments from other
environments on the system. Temporary AWS credentials are created for each
session as well as a new SSH agent. The SSH agent still allows access keys in
the parent environment's SSH agent, but any keys added inside the spawned
environment are only available in the that environment.
The easiest way to install vaulted
on macOS is through
Homebrew.
brew install vaulted
If you already have Linux Brew installed
brew install vaulted
If you do not use Linux Brew, you will need to build vaulted manually.
Installation on other platforms should be simple enough through go install
as
long as you have a proper Go environment setup:
go install github.com/miquella/vaulted@latest
Don't forget to add $GOPATH/bin
to your $PATH
! You must be running go version
1.12 or greater.
vaulted
is oriented around vaults of secrets that are used to spawn
environments. To get started, add a new vault:
vaulted add my-vault
This will start an interactive editing mode that will help you create your
first vault. AWS keys, SSH keys, and arbitrary environment variables can be
added to the vault. Once you have your vault arranged how you would like, use
q
to exit the interactive mode and save the vault to disk.
While editing a vault, Ctrl+C
may be used to discard changes to the
vault.
Now that your vault has been saved, the list of vaults will reflect your newly saved vault:
vaulted ls
And you can use vaulted
to spawn a command in an environment generated from
the secrets stored in the vault:
vaulted -n my-vault -- aws s3 ls
Sometimes it is useful to be able to issue multiple commands that require the vault's secrets. In this case, you can spawn an interactive shell:
vaulted shell my-vault
Warning! Leaving interactive shells with your credentials loaded can be dangerous as you may inadvertently provide credentials to an application you didn't intend!
Vaults and cached sessions are stored according to the XDG Base Directory Specification.
Vault files are stored in:
$XDG_DATA_HOME/vaulted/
(typically~/.local/share/vaulted/
)$XDG_DATA_DIRS/vaulted/
(typically/usr/local/share
and/usr/share
)
Vault files are written to $XDG_DATA_HOME/vaulted/
. To backup your Vaulted data, all files in
this directory should be backed up. Session cache files do not need to be retained.
Session cache files are stored in:
$XDG_CACHE_HOME/vaulted/
(typically~/.cache/vaulted/
)
An env
subcommand has been included with the intention of supplying machine
readable output for integration with shells and shell utilities. Every effort
has been made to supply meaningful return codes on failures along with a
description of what has gone wrong. See vaulted(1)
for details on the return
values to expect and their meanings.
While vaulted
supports basic modification methods like copying, editing, and
removing, more advanced methods such as JSON-formatted dumping and loading are
also available. An environment can even be loaded into a running shell! See
vaulted --help
for available commands.
In addition to including secrets stored in the vault, spawned environments also
include environment variables that describe how the session and environment
were spawned. See vaulted-env(1)
and vaulted-shell(1)
for details.
GUI-based password prompts can be used by setting the VAULTED_ASKPASS
variable. See vaulted(1)
for more details.