Secretr is a secure secret management tool implemented in Go. It provides encrypted storage, secure access, backup/restore features, CLI/API interfaces to manage secrets, and encrypted file storage with image rendering capabilities.
- Encryption & Security:
Uses AES-GCM with a master key derived via Argon2id.
Device fingerprinting prevents secretr access even if copied to another device. - MasterKey Management:
- Set up secretr with a MasterKey.
- Change or rotate the MasterKey.
- Reset functionality with emailed reset code if enabled.
- Secret CRUD Operations:
- Store (
set) secrets with support for nested keys (using dot notation). - Retrieve (
get) secrets. - Delete secrets.
- List all secret keys.
- Store (
- Environment Integration:
- Load and enrich environment variables from secretr.
- Set a single secret as an environment variable.
- Backup & Restore:
- Create backup copies via API or CLI.
- Restore from backup files.
- CLI & API:
- Interactive CLI for managing secrets (
set,get,delete,copy,env,enrich,list). - HTTP endpoints for key management, backup, and restore (see
/secretr/backupand/secretr/restoreendpoints).
- Interactive CLI for managing secrets (
- Audit Logging:
Writes audit logs with HMAC signatures to ensure tamper detection. - Additional Utilities:
- Copy secret to clipboard.
- Import/export secretr data (JSON format).
- Clone the repository:
git clone https://github.com/oarkflow/secretr.git
- Build the project:
cd secretr go build ./cmd/main.go
- Initialize and execute secretr:
./main
- Interactive commands:
set <key>: Set a secret. The tool will prompt for the value securely.get <key>: Retrieve the value of a secret.delete <key>: Remove a secret.copy <key>: Copy the secret to the clipboard.env <key>: Set the secret as an environment variable.load-env: Load all environment variables from the secretr.enrich: Enrich the process's environment with all secretr secrets.list: Display all keys stored in secretr.exit/quit: Save and exit the CLI.
The secretr also exposes HTTP endpoints:
- List & Retrieve Keys:
- GET
/secretr/or/secretr/keysto list all keys. - GET
/secretr/<key>to retrieve a specific secret.
- GET
- Add/Update a Secret:
- POST/PUT
/secretr/<key>with the secret in the request body.
- POST/PUT
- Delete a Secret:
- DELETE
/secretr/<key>
- DELETE
- Clear Secretr:
- PATCH
/secretr/clearto remove all secrets.
- PATCH
- Backup & Restore:
- POST
/secretr/backupto create a backup file. - POST
/secretr/restore?path=<backup_path>to restore the secretr from a backup file.
- POST
Secretr provides encrypted file storage with dedicated HTTP endpoints:
- Upload File:
- POST
/api/files- Upload a file with metadata (multipart/form-data) - Form fields:
file(required),tags(comma-separated),prop_*(custom properties)
- POST
- List Files:
- GET
/api/files- Get a list of all stored files and their metadata
- GET
- Download File:
- GET
/api/files/{filename}- Download a specific file
- GET
- Render Image:
- GET
/api/files/render/{filename}- Render an image file directly in the browser (only works for image files)
- GET
- Delete File:
- DELETE
/api/files/{filename}- Delete a specific file
- DELETE
- Secretr Directory:
By default, the secretr uses the.secretrdirectory in your home folder. You can override this by setting theSECRETR_DIRenvironment variable. - Reset Password:
During the initial setup, you will have the option to enable reset password functionality.
- CLI Example:
secretr> set my.secret Enter secret: ************* secretr> get my.secret ************* secretr> list my.secret
- Programmatic Usage:
See
/examples/main.gofor an example that loads environment variables and retrieves secrets.
- Secretr encrypts your secrets on disk. Ensure your master key is kept secure.
- Secretr files are bound to the device they were created on using device fingerprinting.
- Even if a secretr file is copied and the master key is known, it cannot be accessed from a different device.
- Regularly back up your secretr using the provided backup commands.
- Audit logs are stored in the secretr directory to track operations.