Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
157 lines (116 sloc) 4.8 KB

mvisonneau/s5 - Safely Store Super Sensitive Stuff

GoDoc Go Report Card Docker Pulls Build Status Coverage Status

s5 is a very small binary that allows you to easily cipher/decipher content within your files. For the moment it only supports Vault transit secret engine (Hashicorp) but it could be ported to additional ones as well.


# Configure Vault
~$ export VAULT_ADDR=
~$ export VAULT_TOKEN=f4262de2-4e07-5b85-98ea-7702e2c7cdb9

# Encrypt text
~$ s5 cipher very_sensitive_value
{{ s5:sIPFWfAcBvOnOtVcs65QGh+S3af4Wo= }}

# Store it anywhere in your files
~$ cat example.yml
var1: {{ s5:EtWnJ8ZyuwzRn8I3jw== }}
var2: {{ s5:8tceTb9yc0CBgEqrpw== }}
{{ s5:Glv1MRAuNOorI3oJA== }}: {{ s5:S4Lfavx2svWlSAD8sWHV }}

# Render!
~$ s5 render example.yml
var1: foo
var2: bar
secret_key: secret_value

# s5 can also read from stdin
~$ echo "foo" | s5 cipher | s5 decipher
~$ echo "foo: {{ s5:8tceTb9yc0CBgEqrpw== }}" | s5 render
foo: bar


~$ s5
   s5 - cipher/decipher text within a file from a (Hashicorp) Vault transit key

   s5 [global options] command [command options] [arguments...]


     cipher    return an encrypted s5 pattern that can be included in any file
     decipher  return an unencrypted s5 value from a given pattern
     render    render a file that (may) contain s5 encrypted patterns
     help, h   Shows a list of commands or help for one command

   --vault-addr address         vault address [$VAULT_ADDR]
   --vault-token token          vault token [$VAULT_TOKEN]
   --transit-key name, -k name  name of the transit key used by s5 to cipher/decipher data (default: "default") [$S5_TRANSIT_KEY]
   --log-level level            log level (debug,info,warn,fatal,panic) (default: "info") [$S5_LOG_LEVEL]
   --log-format format          log format (json,text) (default: "text") [$S5_LOG_FORMAT]
   --help, -h                   show help
   --version, -v                print the version


You can have a look at the release page of the project, we currently build it for Linux, Darwin and Windows platforms.

# Linux
~$ wget -O /usr/local/bin/s5; chmod +x /usr/local/bin/s5
# MacOS
~$ wget -O /usr/local/bin/s5; chmod +x /usr/local/bin/s5
# Windows

You can also use the docker version:

~$ docker run -it --rm mvisonneau/s5


Render in-place

~$ cat example.yml
foo: {{ s5:8tceTb9yc0CBgEqrpw== }}

~$ s5 render --in-place example.yml

~$ cat example.yml
foo: bar

Render in a new file

~$ cat example.yml
foo: {{ s5:8tceTb9yc0CBgEqrpw== }}

~$ s5 render example.yml --output example-dec.yml

~$ cat example-dec.yml
foo: bar


You can use the --log-level debug flag in order to troubleshoot

~$ cat example.yml
foo: {{ s5:8tceTb9yc0CBgEqrpw== }}

~$ s5 --log-level debug render example.yml
s5 --log-level debug render secrets.yml
DEBU[2018-07-09T15:06:49Z] Configuring Vault
DEBU[2018-07-09T15:06:49Z] Executing function 'render'
DEBU[2018-07-09T15:06:49Z] Opening input file : example.yml
DEBU[2018-07-09T15:06:49Z] Starting deciphering
DEBU[2018-07-09T15:06:49Z] found: s5:8tceTb9yc0CBgEqrpw==
DEBU[2018-07-09T15:06:49Z] Outputing to stdout
foo: bar
DEBU[2018-07-09T15:06:49Z] Executed in 13.1337ms, exiting..

Develop / Test

If you use docker, you can easily get started using :

~$ make dev-env
# You should then be able to use go commands to work onto the project, eg:
~docker$ make fmt
~docker$ s5

This command will spin up a Vault container and build another one with everything required in terms of golang dependencies in order to get started.


If you are using as you IDE. You can have a look onto a module I have written that integrates s5 with it.


Contributions are more than welcome! Feel free to submit a PR.