Manage secret values in-repo via public key cryptography

Related tags

Cryptography amber
Overview

amber

Rust

Manage secret values in-repo via public key cryptography. See the announcement blog post for more motivation.

Amber provides the ability to securely store secret data in a plain-text file. Secrets can be encrypted by anyone with access to the file, without the ability to read those files without a secret key. The file format is a plain text YAML file which minimizes diffs on value changes, making it amenable to tracking changes in version control.

The primary use case for Amber is storing secret values for Continuous Integration systems. In most CI secrets management systems, there is no way to track the changes in values over time. With Amber, the public key and encrypted values live inside the repo, ensuring future runs of the same commit will either fail (if you've misplaced/changed the key) or have identical inputs.

Install

You can install from source by installing Rust and running cargo install --git https://github.com/fpco/amber. Binaries are available on the release page. Place the executable on your PATH and ensure that the executable bit is set (for non-Windows platforms).

Usage

Running amber --help will give you full, up to date set of instructions. The --amber-yaml option, or the AMBER_YAML environment variable, can be used to specify the location of the file containing your secret values. If unspecified, it will default to amber.yaml. The typical workflow is:

  • amber init to create a new secret key and amber.yaml file.
  • Securely store that secret key, such as in a password manager. Additionally, if desired, put that secret key in your CI system's secrets.
  • Add additional secrets with amber encrypt.
  • Commit your amber.yaml file into your repository.
  • Within your CI scripts, or when using your secrets on your own system:
    • Set the AMBER_SECRET environment variable to your secret key.
    • Use amber print to see a list of your secrets.
    • Use amber exec ... to execute subcommands with the secrets available.
  • Over time, use amber encrypt to add new secrets or update existing secrets, and amber remove to remove a secret entirely.
  • By storing the secrets in Git, you'll always be able to recover old secret values.

Here's a sample shell session:

$ amber init
Your secret key is: 15aa07775395303732870cff2cc35c26f94af3344cf0f85d230aa004234d9764
Please save this key immediately! If you lose it, you will lose access to your secrets.
Recommendation: keep it in a password manager
If you're using this for CI, please update your CI configuration with a secret environment variable
export AMBER_SECRET=15aa07775395303732870cff2cc35c26f94af3344cf0f85d230aa004234d9764
$ amber encrypt PASSWORD deadbeef
$ amber print
Error: Error loading secret key from environment variable AMBER_SECRET

Caused by:
    environment variable not found
$ export AMBER_SECRET=15aa07775395303732870cff2cc35c26f94af3344cf0f85d230aa004234d9764
$ amber print
export PASSWORD="deadbeef"
$ amber exec -- sh -c 'echo $PASSWORD'
deadbeef
$ cat amber.yaml
---
file_format_version: 1
public_key: 9a4eb57571201fe413a5a9d583a070d180669928f0b98152ad93454cf5079860
secrets:
  - name: PASSWORD
    sha256: 2baf1f40105d9501fe319a8ec463fdf4325a2a5df445adf3f572f626253678c9
    cipher: c7f3d90e15b2d37801055d9773e6bd1e4b36120987bf31c6f111d5d69acb6d020a5f532ea035c272465f2a6e43c55fb009bf03a5c7a93581
$ amber encrypt PASSWORD deadbeef
[2021-08-13T10:45:13Z INFO  amber::config] New value matches old value, doing nothing
$ amber encrypt PASSWORD deadbeef2
[2021-08-13T10:45:16Z WARN  amber::config] Overwriting old secret value
$ amber print
export PASSWORD="deadbeef2"
$ amber remove PASSWORD
$ amber print
$ cat amber.yaml
---
file_format_version: 1
public_key: 9a4eb57571201fe413a5a9d583a070d180669928f0b98152ad93454cf5079860
secrets: []

Authors

This tool was written by the FP Complete engineering team. It was originally part of a deployment system for our Kube360 Kubernetes software collection. We decided to extract the generalizable parts to a standalone tool to improve Continuous Integration workflows.

If you have a use case outside of CI, or additional features you think would fit in well, please let us know in the issue tracker!

Comments
  • Github marketplace action for amber

    Github marketplace action for amber

    Would make amber easier to consume in the GitHub ecosystem (without requiring any changes to amber)

    A developer using Github actions would not need to worry about how to install amber e.g. https://github.com/chrisjsimpson/amber-secrets-ci-example/blob/9854d92efd11bccb1919f8f74e9a38e5cbec6cd0/.github/workflows/production.yml#L19-L22 would be abstracted away.

    Have some experience with this.

    opened by chrisjsimpson 3
  • encrypt: take secret value from stdin

    encrypt: take secret value from stdin

    Could the encrypt subcommand take the secret value from stdin? This would help prevent raw secrets from being saved in shell history, for example.

    BTW, this is a very cool project! It hits a lot of sweet spots for in-repo secret storage.

    opened by justinfenn 2
  • An installation script.

    An installation script.

    Since the tool is used in CI steps, the user would need to install amber into their building environment / container. A simple script that always pull the latest release (better if major version can be set and fixed) would be helpful.

    opened by Magicloud 2
  • Allow amber.yaml file to be searched in parent directory

    Allow amber.yaml file to be searched in parent directory

    Right now amber by default checks amber.yaml in the directory where the command is being executed.

    I think it might be convenient if it searches it's parent directory too. I found that this could be convenient in one of the recent projects I integrated amber with.

    So I think for finding the amber.yaml, we can slightly change it to accommodate something like this:

    • check if the passed location (either default or explicitly passed value) of file exists and use that if found.
    • If not, traverse your parent directory to see if it exists

    I would be happy to implement it in the coming days, if you aren't opposed to it.

    opened by psibi 1
  • AUR package

    AUR package

    I created an AUR (Arch User Repository) package for amber: https://aur.archlinux.org/packages/amber-secrets/

    I called it amber-secrets as there is already a package called amber (the Crystal web-framework). It also depends on the system libsodium instead of statically linking its own copy.

    Anyway, just passing on the info to let you know it's out there. Not sure if it's worth mentioning in the install section of the README or not.

    opened by wezm 1
  • Helper script: install.sh

    Helper script: install.sh

    The script aims to ease the process of fetching amber into any Linux environment. This version only fetches the latest one.

    The script has been tested in Alpinelinux.

    opened by Magicloud 1
  • Migrate from sodiumoxide to crypto_box

    Migrate from sodiumoxide to crypto_box

    From last year, sodiumoxide has been unmaintained and there is a RUSTSEC advisory filed that has deprecated it's usage: https://rustsec.org/advisories/RUSTSEC-2021-0137.html

    Also the original author of the crate has archived the repository.

    This PR switches to use the crate crypto_box which is a pure Rust compatibility layer for Nacl libraries. I also had to use some other crates for computing SHA, hex decoding etc.

    opened by psibi 0
  • Upgrade to clap v4 and other changes

    Upgrade to clap v4 and other changes

    Summary of the changes:

    • cargo update all crates. The most important one being clap.
    • Upgrade toolchain to 1.64 and do relevant clippy changes.
    • Some changes to github actions and toml file to speed up CI
    opened by psibi 0
  • Add option to display only secret key when exec amber init

    Add option to display only secret key when exec amber init

    amber is display secret key to console when execute amber init. But, I think there are times when want not to display secret to console.

    So, add --only-secret-key option and use the following:

    amber init --only-secret-key | pbcopy
    
    opened by matsubara0507 0
  • Update clap and other dependencies

    Update clap and other dependencies

    Summary of the updates:

    • Clap v3 has been released and this PR updates to use it. I did a cargo upgrade to update all the other dependencies, but if you prefer me just updraing clap, I can go ahead and do that.
    • Use assert_cmd for testing cli. This gives a cargo_bin method which is more convenient for integration tests rather than doing cargo run.
    opened by psibi 0
  • Search amber.yaml in parent directory in some cases

    Search amber.yaml in parent directory in some cases

    This PR makes amber searches the parent directory for the amber.yaml file if amber.yaml isn't present in the current working directory.

    This check is only done when no explicit amber-yaml is specificed via --amber-yaml option or via the environment variable (unless the specified value matches the default amber.yaml value)

    Fixes #21

    opened by psibi 0
  • Ability to copy secrets to system clipboard

    Ability to copy secrets to system clipboard

    Often while using amber locally, I want to copy certain secrets to the clipboard. I'm imagining a interface like this for this feature:

    USAGE:
        amber clipboard <key> --amber-yaml <amber-yaml>
    

    Additionally, I can volunteer to implement this if there is no objections.

    opened by psibi 1
  • Proposal: Add ability to specify environment for secrets

    Proposal: Add ability to specify environment for secrets

    For example user story: As a user I can specify an environment name of my choosing whilst storing a secret, perhaps with a default. When accesing a secret, the default environment is used.

    e.g. Interface

    (base) (environment)$ ./amber --verbose encrypt 
    error: The following required arguments were not provided:
        <ENVIRONMENT>
        <KEY>
    
    USAGE:
        amber encrypt [OPTIONS] <ENVIRONMENT> <KEY> [VALUE]
    
    For more information try --help
    (base) (environment)$ ./amber --verbose encrypt staging API_KEY secret
    [2022-01-01T22:16:45Z DEBUG amber] Cmd { opt: Opt { verbose: true, amber_yaml: None, unmasked: false }, sub: Encrypt { environment: "staging", key: "API_KEY", value: Some("secret") } }
    [2022-01-01T22:16:45Z DEBUG amber::cli] Checking if file "amber.yaml" exists
    [2022-01-01T22:16:45Z INFO  amber::config] New value matches old value, doing nothing
    (base) (environment)$ 
    

    Possible structure: (Note the additon of "environment")

    ---
    file_format_version: 2
    public_key: 7801a1206e8e339c396a990bdd758dcccce9d1e8846b3a08b8329d3925adf801
    secrets:
      - name: API_KEY
        environment: staging
        sha256: 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b
        cipher: 104b00746ab5a029ee6c693e33d6cee116163b695d5ed685e1e8428984f5105012e3741ec89d4e944c4f02209762f11f69f6eed17be7
      - name: API_KEY
        environment: production
        sha256: 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b
        cipher: 104b00746ab5a029ee6c693e33d6cee116163b695d5ed685e1e8428984f5105012e3741ec89d4e944c4f02209762f11f69f6eed17be7
    

    Motivations

    • Secrets may change between environments (e.g. testing, staging etc )
    • Whilst it is possible to achieve managing different environment secrets with amber (potentially by managing amber.yaml in a different repo per environment, this undermines the goal to track the changes in values over time.

    Considerations

    • To store envrionment name per secret not elsewhere
    • Provide a default environment name, or none
    • This would/could be a breaking change to the file format so may require a bump of FILE_FORMAT_VERSION

    I've coded an intial attempt at this to demonstrate the idea and will push, though a complete implementation is missing since I'm new to Rust. I specifically got stuck at: https://github.com/fpco/amber/blob/65e6c6ec8ee0669df71b9b56e6e3ab924e0d3fc2/src/config.rs#L109 after altering SecretRaw structure to include environment.

    I hope the code tempts someone or someone can point me in a better direction.

    opened by chrisjsimpson 5
  • How do you think of this model for Terraform-alike?

    How do you think of this model for Terraform-alike?

    1. Having an IAM role only for CI/CD.
    2. At starting of the job, create some AWS secrets from Amber. Restrict them for CI/CD role.
    3. Running Terraform (using data to reference to the secrets).
    4. Succeeded or not, remove all secrets from AWS.

    Hence we do not have AWS secrets for long term, and we do not have secret texts in Terraform artifacts.

    opened by Magicloud 1
Releases(v0.1.4)
Owner
FP Complete
FP Complete
This is a template to build secret contracts in Rust to run in Secret Network

Secret Contracts Starter Pack This is a template to build secret contracts in Rust to run in Secret Network. To understand the framework better, pleas

Ethan Gallucci 1 Jan 8, 2022
The Hybrid Public Key Encryption (HPKE) standard in Python

Hybrid PKE The Hybrid Public Key Encryption (HPKE) standard in Python. hybrid_pke = hpke-rs ➕ PyO3 This library provides Python bindings to the hpke-r

Cape Privacy 4 Nov 7, 2022
Extract data from helium-programs via Solana RPC and serves it via HTTP

hnt-explorer This application extracts data from helium-programs via Solana RPC and serves it via HTTP. There are CLI commands meant to run and test t

Louis Thiery 3 May 4, 2023
Example implementation for Biscuit tokens cryptography

example implementation for Biscuit token cryptography To aid in the implementation of Biscuit tokens in various languages, this repository contains an

Clever Cloud 6 May 25, 2021
Mundane is a Rust cryptography library backed by BoringSSL that is difficult to misuse, ergonomic, and performant (in that order).

Mundane Mundane is a Rust cryptography library backed by BoringSSL that is difficult to misuse, ergonomic, and performant (in that order). Issues and

Google 1.1k Jan 3, 2023
Cryptography-related format encoders/decoders: PKCS, PKIX

RustCrypto: Formats Cryptography-related format encoders/decoders: PKCS, PKIX. Crates Name crates.io Docs Description base64ct Constant-time encoder a

Rust Crypto 112 Dec 20, 2022
Implementation of the Web Cryptography specification in Rust.

[wip] webcrypto Implementation of the Web Cryptography specification in Rust. This crate hopes to ease interoperability between WASM and native target

Divy Srivastava 5 Mar 7, 2022
Cryptography-oriented big integer library with constant-time, stack-allocated (no_std-friendly) implementations of modern formulas

RustCrypto: Cryptographic Big Integers Pure Rust implementation of a big integer library which has been designed from the ground-up for use in cryptog

Rust Crypto 88 Dec 31, 2022
Pairing cryptography library in Rust

bn This is a pairing cryptography library written in pure Rust. It makes use of the Barreto-Naehrig (BN) curve construction from [BCTV2015] to provide

Electric Coin Company Prototypes and Experiments 139 Dec 15, 2022
Pairing cryptography library in Rust

bn This is a pairing cryptography library written in pure Rust. It makes use of the Barreto-Naehrig (BN) curve construction from [BCTV2015] to provide

Parity Technologies 23 Apr 22, 2022
BLS12-381 cryptography using Apache Milagro

BLS12-381 Aggregate Signatures in Rust using Apache Milagro WARNING: This library is a work in progress and has not been audited. Do NOT consider the

Sigma Prime 21 Apr 4, 2022
Ursa - Hyperledger Ursa is a shared cryptography library

HYPERLEDGER URSA Introduction Features Libursa Libzmix Dependencies Building from source Contributing Introduction Ursa was created because people in

Hyperledger 307 Dec 20, 2022
Traits - Collection of cryptography-related traits

RustCrypto: Traits Collection of traits which describe functionality of cryptographic primitives. Crates Name Algorithm Crates.io Docs MSRV aead Authe

Rust Crypto 401 Dec 27, 2022
Collect libraries and packages about cryptography in Rust.

Awesome Cryptography Rust Collect libraries and packages about cryptography in Rust. Collection Library Symmetric Public-key / Asymmetric One-way Hash

Rust Cryptography Community 282 Dec 25, 2022
A general solution for commonly used crypt in rust, collection of cryptography-related traits and algorithms.

Crypto-rs A general solution for commonly used crypt in rust, collection of cryptography-related traits and algorithms. This is a Rust implementation

houseme 4 Nov 28, 2022
A down-to-the-metal ongoing cryptography challenge designed by Radical Semiconductor.

woodpecker ?? [NOTE: scoreboard will now be updated weekends, starting the weekend of 12/10/2022--sorry for delays! I'll also be merging in pull reque

Radical Semiconductor 16 Dec 15, 2022
Elliptic curve cryptography on Soroban.

Elliptic Curve Cryptography on Soroban Contract examples and reusable primitives. Groth 16 verifier. This crate provides a SorobanGroth16Verifier obje

Xycloo Labs 5 Feb 10, 2023
A value transfer bridge between the Monero blockchain and the Secret Network.

Secret-Monero-Bridge A value transfer bridge between the Monero blockchain and the Secret Network. Proof-of-Concept Video Demonstration: https://ipfs.

null 28 Dec 7, 2022
secret folders generator to hide hentais in your computer

hentai dream 95 secret folders generator to hide hentais in your computer, but its really old way as **** used techniquee one injection technique from

jumango pussu 7 Jul 8, 2021