This script provides a secure and encrypted way to manage and store sensitive information, such as API keys, credentials, and other secrets. It uses GPG encryption to keep your secrets safe and allows you to easily add, retrieve, list, and delete secrets.
git clone https://github.com/pl4g4/secure-secrets.git
cd secure-secretschmod +x secure-secrets.shThe script uses GPG to encrypt and decrypt the secrets file. If GPG is not installed on your system, the script will attempt to install it.
To manually install GPG:
-
On macOS: Use Homebrew:
brew install gnupg
-
On Linux (Debian/Ubuntu-based):
sudo apt update && sudo apt install -y gnupg -
On Linux (RHEL/CentOS-based):
sudo yum install -y gnupg2
Once the script is set up, you can interact with it via the command line.
To add a secret, use the add command. You need to provide a key and a value.
./secure-secrets.sh add <key> <value>Example:
./secure-secrets.sh add dynatrace_api <your-api-token-here>This will encrypt the secret and save it to the .secrets.gpg file.
To retrieve a secret, use the get command followed by the key.
./secure-secrets.sh get <key>Example:
./secure-secrets.sh get dynatrace_apiThis will decrypt and return the value of the dynatrace_api secret.
To list all stored secrets (only keys, not values), use the list command:
./secure-secrets.sh listTo delete a secret, use the delete command followed by the key:
./secure-secrets.sh delete <key>Example:
./secure-secrets.sh delete dynatrace_apiThis will remove the specified secret from the .secrets.gpg file.
-
Use a Strong Passphrase for GPG: When setting up GPG, ensure that you use a strong, unique passphrase to protect your secrets.
-
Encrypt Secrets File: The
.secrets.gpgfile is the core of this script. Make sure it is securely stored in a location with proper access controls. It is highly recommended to restrict permissions (e.g.,chmod 600 ~/.secrets.gpg). -
Do Not Commit Secrets: Avoid committing your
.secrets.gpgfile to version control (e.g., Git). Use.gitignoreto exclude it. -
Backup Your Secrets: If you're using this script in production or for critical systems, ensure you have encrypted backups of your secrets.
-
Environment Variables: Consider storing environment variables (such as API tokens) in this encrypted file, and use them in your scripts or applications securely.
- GPG: This script relies on GPG encryption to keep your secrets secure.
- Linux/Mac: This script works on both Linux and macOS systems.
-
Encrypted Secrets: Secrets are encrypted using AES-256 encryption, ensuring that even if someone gains access to the
.secrets.gpgfile, they will not be able to read the secrets without the GPG passphrase. -
File Permissions: Ensure that the
.secrets.gpgfile has restricted permissions. Usechmod 600 ~/.secrets.gpgto limit access to the file. -
Key Management: You are responsible for managing your GPG keys securely. Store your GPG passphrase safely, and never hardcode it into scripts or code.
-
Avoid Exposing Secrets: Always be cautious when outputting secrets or passing them through logs, and consider masking secrets in output when running scripts.
For example, if you need to retrieve a token for dynatrace_api and use it in a curl command:
curl -L -X GET "https://your-api-endpoint" -H "Authorization: Api-Token $(./secure-secrets.sh get dynatrace_api)" -H "Accept: application/json"This way, you can safely use API tokens without hardcoding them directly into your scripts.