secretgarden

secretgarden is a self-contained CLI that generates and securely stores secrets like the following:

• Passwords
• SSH keys
• TLS/X.509 certificates
• Opaque values

It's made for sysadmins that manage a small set of systems by themselves. Secrets are kept safe with a key derived from your SSH key (in concert with NaCl's secretbox and the argon2 hash).

The interaction model is strongly inspired by a credential server called CredHub, where an automated deployment tool can ask for a secret that is:

• Securely stored
• Automatically generated if it does not exist
• Re-generated if the secret's options have changed
• Easy to generate based on other certificates (CAs with child certificates, for instance)

Installation

Currently, secretgarden can only be installed from source. Install Rust via rustup or OS packages, then run $ cargo install --path . from inside this directory. (Make sure that ~/.cargo/bin is in your $PATH.)

Usage

Prerequisites

Before getting started, make sure that you have ssh-agent running, and that you've added keys to it:

$ ssh-add -l
256 SHA256:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA me@home (ED25519)
...

If $ ssh-add -l returns nothing, then add your SSH key with $ ssh-add.

Note: only RSA and ED25519 keys are accepted. DSA and ECDSA keys generate random signatures, making them unusable for key derivation.

If it returns an error, you likely aren't running ssh-agent. You can start it for your current shell with $ eval $(ssh-agent), but should probably add that command to your login script.

Getting autogenerated secrets

Secrets are retrieved via subcommands of secretgarden. For instance, to retrieve a 32-character random password named mysql-root-password, run:

$ secretgarden password mysql-root-password
nEIn5JwTCpaIrGGpCehuP6rVbCgKLWow

If this password doesn't exist, it will be generated and stored.

SSH keys

SSH keys can be generated similarly:

$ secretgarden ssh-key jumpbox-ssh-key
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

The public key can be retrieved with --public:

$ secretgarden ssh-key jumpbox-ssh-key --public
ssh-ed25519 ...

X.509 certificates

X.509 certificates can be fetched in multiple formats and signed by other secretgarden-managed certificates.

If a certficate is generated without a CA, it will be self signed. If a CA is configured as follows:

[x509.example-ca]
is-ca = true

[x509.example-child]
ca = "example-ca"

then example-child will be signed by example-ca. Note that example-ca must be generated first and must be unexpired.

These certificates and their public/private keys may be retrieved one at a time, or all at once. For instance:

$ secretgarden x509 example-child --certficate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
$ secretgarden x509 example-child --certifcate --private-key
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

Changing config

Each of the secret types has configuration that can be changed, ranging from password length to complex X.509 options. This configuration is read from secretgarden.toml in the current directory. For example:

[password.mysql-root-password]
length = 64

[ssh-key.jumpbox-ssh-key]
type = "rsa"
bits = 4096

[x509.ca]
is-ca = true

To see the options supported by a secret type, see secretgarden SECRET-TYPE --help:

$ secretgarden ssh-key --help
Get or generate an SSH key.

Will output the private key by default.

Available config options:
  * `type`: the type of SSH key (`rsa`, `dsa`, `ecdsa`, or `ed-25519`; defaults to `ed-25519`).
  * `bits`: the number of bits in the key (only supported for `rsa` and `ecdsa` keys).

...

Storing opaque values

Some secrets might be dictated to you (API tokens, etc.), but it can still be useful to store them alongside generated secrets.

Opaque (non-generated) values can be set with secretgarden set-opaque and retrieved with secretgarden opaque:

$ secretgarden set-opaque api-token
<enter secret value>
$ secretgarden opaque api-token
<your secret value>