Loads a gocryptfs encrypted 'vault' of sensitive environment variables into the current Bash shell.
IMPORTANT NOTE: I make no claims as to the security of this setup! It works for me. For anything but the most simple scenarios, consider using a more robust secrets manager such as Hashicorp Vault.
- Make sure gocryptfs is installed.
- Source
pmv.sh
in the Bash shell where you wish to have access to the vault functions.
. pmv.sh
Run pmv_help
for usage and current vault settings.
Vault is configured via the following environment variables:
PMV_ENV
: The vault environment files to load (defaultdev
). Only this environment and thecommon
environment will be loaded in the current shell.PMV_VAULT_DIR
: The gocryptfs encrypted directory (default/var/db/vault
).PMV_MOUNT_DIR
: The directory to mount the encrypted directory on (default/tmp/vault.decrypted
).
Before vault can be used, you must initialize the encrypted vault directory, and provide the decryption password.
- Ensure
${PMV_VAULT_DIR}
doesn't already exist. - Run
pmv_init
, then enter the encyption password.
Run pmv_edit
This decrypts the vault, mounts it at ${PMV_MOUNT_DIR}
, and opens
${PMV_MOUNT_DIR}
in the default editor app.
Create a directory in ${PMV_MOUNT_DIR}
that matches the name of the
${PMV_ENV}
setting.
Within the ${PMV_ENV}
subdirectory, place one or more files ending
with a .sh
extension.
In each file, add any environment variable exports that you wish to keep encrypted.
export DB_PASSWORD=sekret
export VPS_ACCESS_TOKEN=sometoken
In addition to the environment specific directories, you can also add a
common
directory -- any .sh
files within it will be loaded for all
environments, prior to the environment-specific files being loaded.
Upon exit of the editor, the vault is 'closed' by unmounting ${PMV_MOUNT_DIR}
.
- Run
pmv_load
- Enter the password used when the vault was initialized.
This decrypts the vault, mounts it at ${PMV_MOUNT_DIR}
, and sources all
files ending in .sh
in the following directories, in the following order:
${PMV_MOUNT_DIR}/common
${PMV_MOUNT_DIR}/${PMV_ENV}
Immediately after loading all files into the current shell, the vault is
'closed' by unmounting ${PMV_MOUNT_DIR}
.
- Run
pmv_change_password
- Enter the old password
- Enter the new password
A simple push/pull mechanism allows synchronizing a local vault with a vault on a remote server:
pmv_push root@foo.example.com
pmv_pull root@foo.example.com
Under the hood, rsync -avz --delete
is used to synchronize the
directories. Directory modification times are checked both local and remote, and
the operation is aborted if the target directory has a modification time after
the source directory.
To defeat the modification time validation check, use the force
variant
of the commands:
pmv_force_push root@foo.example.com
pmv_force_pull root@foo.example.com
IMPORTANT NOTE: The validation and synchronization feature is very basic,
and is provided as a convenience. It should work fine when used properly, and,
use at your own risk! In particular, make sure you have a valid setting for
Vault directory
on all servers by running pmv_help
- See
man gocryptfs
to understand the backing library, and run any advanced operations on the vault, such as checking consistency.