Spawning and storage of secure environments
Spawn environments from securely stored secrets.
With so many secrets floating around in our modern lives, it's a wonder we're able to keep track of any of them!
vaultedallows you to create vaults of related secrets and then spawn sessions with these secrets. Vaults can contain secure environment variables, AWS credentials, or SSH keys (RSA, DSA, & ECDSA).
vaultedalso attempts to insulate spawned environments from other environments on the system. Temporary AWS credentials are created for each session as well as a new SSH agent. The SSH agent still allows access keys in the parent environment's SSH agent, but any keys added inside the spawned environment are only available in the that environment.
The easiest way to install
vaultedon macOS is through Homebrew.
brew install vaulted
If you already have Linux Brew installed
brew install vaulted
If you do not use Linux Brew, you will need to build vaulted manually.
Installation on other platforms should be simple enough through
go getas long as you have a proper Go environment setup:
go get -u github.com/miquella/vaulted
Don't forget to add
$PATH! You must be running go version 1.12 or greater.
vaultedis oriented around vaults of secrets that are used to spawn environments. To get started, add a new vault:
vaulted add my-vault
This will start an interactive editing mode that will help you create your first vault. AWS keys, SSH keys, and arbitrary environment variables can be added to the vault. Once you have your vault arranged how you would like, use
qto exit the interactive mode and save the vault to disk.
While editing a vault,
Ctrl+Cmay be used to discard changes to the vault.
Now that your vault has been saved, the list of vaults will reflect your newly saved vault:
And you can use
vaultedto spawn a command in an environment generated from the secrets stored in the vault:
vaulted -n my-vault -- aws s3 ls
Sometimes it is useful to be able to issue multiple commands that require the vault's secrets. In this case, you can spawn an interactive shell:
vaulted shell my-vault
Warning! Leaving interactive shells with your credentials loaded can be dangerous as you may inadvertently provide credentials to an application you didn't intend!
Vaults and cached sessions are stored according to the XDG Base Directory Specification.
Vault files are stored in:
Vault files are written to
$XDG_DATA_HOME/vaulted/. To backup your Vaulted data, all files in this directory should be backed up. Session cache files do not need to be retained.
Session cache files are stored in:
envsubcommand has been included with the intention of supplying machine readable output for integration with shells and shell utilities. Every effort has been made to supply meaningful return codes on failures along with a description of what has gone wrong. See
vaulted(1)for details on the return values to expect and their meanings.
vaultedsupports basic modification methods like copying, editing, and removing, more advanced methods such as JSON-formatted dumping and loading are also available. An environment can even be loaded into a running shell! See
vaulted --helpfor available commands.
In addition to including secrets stored in the vault, spawned environments also include environment variables that describe how the session and environment were spawned. See
GUI-based password prompts can be used by setting the
vaulted(1)for more details.