Confcrypt - The most unsafe secrets management you'll ever find

Some time ago I created a tool called gitsync to sync single files from a git repo to my server for config management purposes. One thing I noticed was that these files often contained secrets and so I wanted a way to en- and decrypt them on the fly. SOPS springs to mind immediately, but it wasnt fit for my purpose because I wanted selective encryption (meaning I wanted to be able to control which values were encrypted) and I also wanted to allow editing the file without having to de- and re-encrypt it. So this barely working tool was born.

This tool currently only supports yaml and env files.

Installation

confcrypt is a binary without external dependencies except glibc. Grab yourself the newest version from releases and just put it in /usr/bin. No configuration needed

To decrypt, you must provide the process with an env var named CONFCRYPT_PRIVATE_KEY containing the private key to the public key used for encryption.

Usage

General

A path to a file may be specified as input using -i/--input or as output with -o/--output. If they are not present, it will read from stdin and write to stdout respectively.

Decrypting

The decryption process is the same regardless of filetype. confcrypt decrypt (-i FILE, -o FILE)

Encrypting

When encrypting you must provide the public key to encrypt for, and the file type. currently supported file types are yaml and env.

Encrypting a yaml file

confcrypt encrypt -i file.yaml -o file.crypt.yaml -f yaml -p <PUBLIC KEY>

Encrypting an env file

confcrypt encrypt -i file.yaml -o file.crypt.yaml -f yaml -p <PUBLIC KEY>

Known Problems

• #@nocrypt doesnt work for List items, Because I do some weird shit to find out which lines are marked with it, and because serde_yaml doesn't preserve them so I'm kinda guessing lol

Documentation is due soon, I promise

License

Disclaimer: Don't use this. It's not very secure

MIT