6 releases (3 breaking)

0.4.0 May 31, 2023
0.3.1 Apr 7, 2023
0.2.0 May 18, 2021
0.1.2 Sep 16, 2020

#358 in Authentication

MPL-2.0 license

1.5K SLoC


secretgarden is a self-contained CLI that generates and securely stores secrets like the following:

  • Passwords
  • SSH keys
  • TLS/X.509 certificates
  • Opaque values

It's made for sysadmins that manage a small set of systems by themselves. Secrets are kept safe with a key derived from your SSH key (in concert with NaCl's secretbox and the argon2 hash).

The interaction model is strongly inspired by a credential server called CredHub, where an automated deployment tool can ask for a secret that is:

  • Securely stored
  • Automatically generated if it does not exist
  • Re-generated if the secret's options have changed
  • Easy to generate based on other certificates (CAs with child certificates, for instance)


Currently, secretgarden can only be installed from source. Install Rust via rustup or OS packages, then run $ cargo install --path . from inside this directory. (Make sure that ~/.cargo/bin is in your $PATH.)



Before getting started, make sure that you have ssh-agent running, and that you've added keys to it:

$ ssh-add -l

If $ ssh-add -l returns nothing, then add your SSH key with $ ssh-add.

Note: only RSA and ED25519 keys are accepted. DSA and ECDSA keys generate random signatures, making them unusable for key derivation.

If it returns an error, you likely aren't running ssh-agent. You can start it for your current shell with $ eval $(ssh-agent), but should probably add that command to your login script.

Getting autogenerated secrets

Secrets are retrieved via subcommands of secretgarden. For instance, to retrieve a 32-character random password named mysql-root-password, run:

$ secretgarden password mysql-root-password

If this password doesn't exist, it will be generated and stored.

SSH keys can be generated similarly:

$ secretgarden ssh-key jumpbox-ssh-key

The public key can be retrieved with --public:

$ secretgarden ssh-key jumpbox-ssh-key --public
ssh-ed25519 ...

Changing config

Each of the secret types has configuration that can be changed, ranging from password length to complex X.509 options. This configuration is read from secretgarden.toml in the current directory. For example:

length = 64

type = "rsa"
bits = 4096

is-ca = true

To see the options supported by a secret type, see secretgarden SECRET-TYPE --help:

$ secretgarden ssh-key --help
Get or generate an SSH key.

Will output the private key by default.

Available config options:
  * `type`: the type of SSH key (`rsa`, `dsa`, `ecdsa`, or `ed-25519`; defaults to `ed-25519`).
  * `bits`: the number of bits in the key (only supported for `rsa` and `ecdsa` keys).


Storing opaque values

Some secrets might be dictated to you (API tokens, etc.), but it can still be useful to store them alongside generated secrets.

Opaque (non-generated) values can be set with secretgarden set-opaque and retrieved with secretgarden opaque:

$ secretgarden set-opaque api-token
<enter secret value>
$ secretgarden opaque api-token
<your secret value>


~545K SLoC