Skip to content


Repository files navigation

🔐 s5 - Safely Store Super Sensitive Stuff

PkgGoDev Go Report Card test Coverage Status release s5

s5 allows you to easily cipher/decipher content within your files. It is a cli tool that works on most platforms (Linux, Mac OS X, Windows, Freebsd and Solaris!)

Encryption backends supported


Example using AES-GCM as the encryption backend



~$ s5
   s5 - cipher/decipher text within a file

   s5 [global options] command [command options] [arguments...]

     cipher    return an encrypted s5 pattern that can be included in any file
     decipher  return an unencrypted s5 value from a given pattern
     render    render a file that (may) contain s5 encrypted patterns
     help, h   Shows a list of commands or help for one command

   --log-level level    log level (debug,info,warn,fatal,panic) (default: "info") [$S5_LOG_LEVEL]
   --log-format format  log format (json,text) (default: "text") [$S5_LOG_FORMAT]
   --help, -h           show help
   --version, -v        print the version


Have a look onto the latest release page and pick your flavor.

Checksums are signed with the following GPG key: C09C A9F7 1C5C 988E 65E3  E5FC ADEA 38ED C46F 25BE


~$ go install


~$ snap install mvisonneau-s5


~$ brew install mvisonneau/tap/s5


~$ docker run -it --rm
~$ docker run -it --rm
~$ docker run -it --rm


~$ scoop bucket add
~$ scoop install s5

Binaries, DEB and RPM packages

For the following ones, you need to know which version you want to install, to fetch the latest available :

~$ export S5_VERSION=$(curl -s "" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
# Binary (eg: freebsd/amd64)
~$ wget${S5_VERSION}/s5_${S5_VERSION}_freebsd_amd64.tar.gz
~$ tar zxvf s5_${S5_VERSION}_freebsd_amd64.tar.gz -C /usr/local/bin

# DEB package (eg: linux/386)
~$ wget${S5_VERSION}/s5_${S5_VERSION}_linux_386.deb
~$ dpkg -i s5_${S5_VERSION}_linux_386.deb

# RPM package (eg: linux/arm64)
~$ wget${S5_VERSION}/s5_${S5_VERSION}_linux_arm64.rpm
~$ rpm -ivh s5_${S5_VERSION}_linux_arm64.rpm


Render in-place

~$ cat example.yml
foo: {{ s5:8tceTb9yc0CBgEqrpw== }}

~$ s5 render aes --in-place example.yml

~$ cat example.yml
foo: bar

Render in a new file

~$ cat example.yml
foo: {{ s5:8tceTb9yc0CBgEqrpw== }}

~$ s5 render aes example.yml --output example-dec.yml

~$ cat example-dec.yml
foo: bar


You can use the --log-level debug flag in order to troubleshoot

~$ cat example.yml
foo: {{ s5:8tceTb9yc0CBgEqrpw== }}

~$ s5 --log-level=debug render aes example.yml
DEBU[2019-07-24T18:16:44+02:00] Opening input file : example.yml
DEBU[2019-07-24T18:16:44+02:00] Starting deciphering
DEBU[2019-07-24T18:16:44+02:00] found: 8tceTb9yc0CBgEqrpw
DEBU[2019-07-24T18:16:44+02:00] Deciphering '8tceTb9yc0CBgEqrpw' using AES
DEBU[2019-07-24T18:16:44+02:00] Outputing to stdout
foo: bar
DEBU[2019-07-24T18:16:44+02:00] Executed in 1.803305ms, exiting..

Develop / Test

If you use docker, you can easily get started using :

~$ make dev-env
# You should then be able to use go commands to work onto the project, eg:
~docker$ make fmt
~docker$ s5

This command will spin up a Vault container and build another one with everything required in terms of golang dependencies in order to get started.

Build / Release

If you want to build and/or release your own version of s5, you need the following prerequisites :

~$ git clone && cd s5

# Build the binaries locally
~$ make build

# Build the binaries and release them (you will need a GITHUB_TOKEN and to reconfigure .goreleaser.yml)
~$ make release


We have modules/extensions for both and vscode


Contributions are more than welcome! Feel free to submit a PR.