tISM - the Immutable Secrets Manager
tISM is PGP encryption-as-a-service for secrets management. Decrypt/Encrypt PGP secrets via API with token authorization.
tISM solves the immutable infrastructure problem of secrets management.
Use at your own risk!
- Does not store any secrets.
- Simple. No databases. The only persistent data is a pgp keyring and configuration file.
- Asymmetric encryption with secure and ubiquitous PGP/GPG. Allows secrets to be encrypted with distributed public keys.
- Authorization with short lived and revocable JWT tokens.
tISM relies on 3 separated components to access secrets.
- Access Token.
- PGP Encrypted Message
- tISM Server
#Install sudo dnf install https://github.com/deuscapturus/tism/releases/download/0.0/tism-0.0-1.fc25.x86_64.rpm #Initialize sudo tism -t -c -n #Run sudo systemctl start tism
Run as a container with systemd-nspawn. systemd-nspawn runs containers and ships with systemd. So it is available on most Linux distributions without any further setup.
#Install sudo machinectl --verify=checksum pull-tar https://github.com/deuscapturus/tism/releases/download/0.0/tism-0.0.tgz #Initialize sudo systemd-nspawn -M tism-0.0 tism -t -c -n #Run sudo systemd-nspawn -M tism-0.0 tism
Docker is annoyingly opinionated about forcing immutable containers. As a result we have one additional step here.
#Install docker import -c 'EXPOSE 8080' https://github.com/deuscapturus/tism/releases/download/0.0/tism-0.0.tgz tism #Initialize docker run --name=tism tism tism -t -c -n #Generate new image from initialized container docker commit tism tism:initialized #Run docker run -d tism:initialized tism
To use the web ui your browser must have es6 module support enabled (a very new feature).
Currently Supported Browers:
- Firefox 54 or greater with dom.moduleScripts.enabled
- Safari 10.1 or greater