Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
157 lines (116 sloc) 4.8 KB

mvisonneau/s5 - Safely Store Super Sensitive Stuff

GoDoc Go Report Card Docker Pulls Build Status Coverage Status

s5 is a very small binary that allows you to easily cipher/decipher content within your files. For the moment it only supports Vault transit secret engine (Hashicorp) but it could be ported to additional ones as well.

TL:DR

# Configure Vault
~$ export VAULT_ADDR=https://vault.rocks
~$ export VAULT_TOKEN=f4262de2-4e07-5b85-98ea-7702e2c7cdb9

# Encrypt text
~$ s5 cipher very_sensitive_value
{{ s5:sIPFWfAcBvOnOtVcs65QGh+S3af4Wo= }}

# Store it anywhere in your files
~$ cat example.yml
---
var1: {{ s5:EtWnJ8ZyuwzRn8I3jw== }}
var2: {{ s5:8tceTb9yc0CBgEqrpw== }}
{{ s5:Glv1MRAuNOorI3oJA== }}: {{ s5:S4Lfavx2svWlSAD8sWHV }}

# Render!
~$ s5 render example.yml
---
var1: foo
var2: bar
secret_key: secret_value

# s5 can also read from stdin
~$ echo "foo" | s5 cipher | s5 decipher
foo
~$ echo "foo: {{ s5:8tceTb9yc0CBgEqrpw== }}" | s5 render
foo: bar

Usage

~$ s5
NAME:
   s5 - cipher/decipher text within a file from a (Hashicorp) Vault transit key

USAGE:
   s5 [global options] command [command options] [arguments...]

VERSION:
   <devel>

COMMANDS:
     cipher    return an encrypted s5 pattern that can be included in any file
     decipher  return an unencrypted s5 value from a given pattern
     render    render a file that (may) contain s5 encrypted patterns
     help, h   Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --vault-addr address         vault address [$VAULT_ADDR]
   --vault-token token          vault token [$VAULT_TOKEN]
   --transit-key name, -k name  name of the transit key used by s5 to cipher/decipher data (default: "default") [$S5_TRANSIT_KEY]
   --log-level level            log level (debug,info,warn,fatal,panic) (default: "info") [$S5_LOG_LEVEL]
   --log-format format          log format (json,text) (default: "text") [$S5_LOG_FORMAT]
   --help, -h                   show help
   --version, -v                print the version

Install

You can have a look at the release page of the project, we currently build it for Linux, Darwin and Windows platforms.

# Linux
~$ wget https://github.com/mvisonneau/s5/releases/download/0.2.0/s5_linux_amd64 -O /usr/local/bin/s5; chmod +x /usr/local/bin/s5
# MacOS
~$ wget https://github.com/mvisonneau/s5/releases/download/0.2.0/s5_darwin_amd64 -O /usr/local/bin/s5; chmod +x /usr/local/bin/s5
# Windows
¯\_(ツ)_/¯

You can also use the docker version:

~$ docker run -it --rm mvisonneau/s5

Examples

Render in-place

~$ cat example.yml
foo: {{ s5:8tceTb9yc0CBgEqrpw== }}

~$ s5 render --in-place example.yml

~$ cat example.yml
foo: bar

Render in a new file

~$ cat example.yml
foo: {{ s5:8tceTb9yc0CBgEqrpw== }}

~$ s5 render example.yml --output example-dec.yml

~$ cat example-dec.yml
foo: bar

Troubleshoot

You can use the --log-level debug flag in order to troubleshoot

~$ cat example.yml
foo: {{ s5:8tceTb9yc0CBgEqrpw== }}

~$ s5 --log-level debug render example.yml
s5 --log-level debug render secrets.yml
DEBU[2018-07-09T15:06:49Z] Configuring Vault
DEBU[2018-07-09T15:06:49Z] Executing function 'render'
DEBU[2018-07-09T15:06:49Z] Opening input file : example.yml
DEBU[2018-07-09T15:06:49Z] Starting deciphering
DEBU[2018-07-09T15:06:49Z] found: s5:8tceTb9yc0CBgEqrpw==
DEBU[2018-07-09T15:06:49Z] Outputing to stdout
foo: bar
DEBU[2018-07-09T15:06:49Z] Executed in 13.1337ms, exiting..

Develop / Test

If you use docker, you can easily get started using :

~$ make dev-env
# You should then be able to use go commands to work onto the project, eg:
~docker$ make fmt
~docker$ s5

This command will spin up a Vault container and build another one with everything required in terms of golang dependencies in order to get started.

BONUS

If you are using atom.io as you IDE. You can have a look onto a module I have written that integrates s5 with it.

Contribute

Contributions are more than welcome! Feel free to submit a PR.