bury

bury is a fast, secure CLI for encrypting secrets so you can keep them out of dotfiles and source control while still using them in your shell. It stores your passphrase in the macOS Keychain and derives encryption keys with Argon2id.

If you want export OPENAI_API_KEY="..." in your ~/.zshrc without leaking the key, bury is the simplest safe way to do it.

Why bury

• No secrets in dotfiles: store only encrypted blobs in your shell config.
• Strong crypto: Argon2id (memory‑hard KDF) + XChaCha20‑Poly1305 (AEAD).
• Fast at startup: decryption is quick once the key is in Keychain.
• No secret embedded in the binary: passphrase is provided at runtime and stored in Keychain.
• Practical security: protects against accidental leaks and offline attacks.

Quick start

1. Build and install:

cargo build --release
cp target/release/bury /usr/local/bin/bury

2. Store your passphrase in Keychain:

bury --setup

3. Encrypt a secret:

bury --encrypt "PLAINTEXT"

4. Put it in ~/.zshrc:

export OPENAI_API_KEY="$(bury 'bury:v1:...')"

5. Reload your shell:

source ~/.zshrc

Usage

Encrypt

Encrypt a literal string:

bury --encrypt "PLAINTEXT"

Encrypt from stdin:

printf '%s' "$OPENAI_API_KEY" | bury --encrypt-stdin

Encrypt from an environment variable:

export OPENAI_API_KEY="PLAINTEXT"
bury --encrypt-env OPENAI_API_KEY

Decrypt

Decrypt a ciphertext (prints plaintext to stdout):

bury "bury:v1:..."

Keychain management

Store passphrase in Keychain:

bury --setup

Remove passphrase from Keychain:

bury --clear-secret

Ciphertext format

bury outputs ciphertexts like:

bury:v1:<base64(salt||nonce||ciphertext)>

• salt: 16 bytes
• nonce: 24 bytes (XChaCha20)
• ciphertext: AEAD output (includes authentication tag)

This format is stable and versioned for future upgrades.

Security model

bury is designed for practical security:

• Protects against accidental leaks (dotfiles, backups, logs, pastebins).
• Resists offline brute‑force attacks thanks to Argon2id.
• Keeps your passphrase out of the binary and config files.

bury does not claim to defeat a fully privileged attacker who can inspect your running process or access the OS keychain. If an attacker has root access, all bets are off.

Crypto details

• KDF: Argon2id (64 MiB, 3 iterations, parallelism 1)
• AEAD: XChaCha20‑Poly1305
• Randomness: OS CSPRNG
• Memory hygiene: sensitive buffers are zeroized on drop

Performance

Decryption is designed to be fast enough for shell startup. The heavy work is the Argon2id key derivation, which is intentionally memory‑hard to resist brute‑force attempts, but still runs quickly on modern hardware.

Troubleshooting

I get prompted for a passphrase every time

• Your Keychain entry may not exist or is locked.
• Run bury --setup again and ensure Keychain access is allowed.

I get “decryption failed”

• The ciphertext was modified or truncated.
• The wrong passphrase is stored in Keychain.
• You can clear it with bury --clear-secret and re‑setup.

I want to rotate my passphrase

1. Clear the stored passphrase: bury --clear-secret
2. Set a new one: bury --setup
3. Re‑encrypt your secrets with the new passphrase.

FAQ

Why not just use an environment manager or .env file?

Because those still store secrets in plaintext somewhere. bury ensures only encrypted data lives in your dotfiles.

Why not embed the passphrase in the binary?

If a binary can decrypt, the key can be extracted. Storing the passphrase in the OS keychain is a safer, standard approach.

Does this work on Linux or Windows?

The core crypto works everywhere, but Keychain storage is macOS‑specific in this build. Adding other backends would be straightforward.

Development

Run tests:

cargo test

License

MIT