The silliest secret manager! :3
A tree-oriented secret storage tool, inspired by age and sops and using libsodium for encryption.
btw the command is named sesi because that sounds more silly :3
This is where you’ll declare your secrets, specify recipients and configure their relationships.
Using YAML, define an arbitrary tree of nodes
whose names must match the regex [a-zA-Z0-9-._].
All leaf nodes are secrets and can be assigned a value using the edit subcommand.
Every node can receive the following special properties:
:key: A public key; shorthand for adding it to…:keys: A list of public keys. Having these makes this node eligible for…:import: A list of node names whose secrets to import, i.e. make accessible to this node’s set of:keystoo. If you want the inverse, there’s also…:export: A list of node names to export this node’s secrets to, i.e. make them accessible to that node’s set of:keys.
While exports are just aliases, (node A exports to B → B imports from A), imports operate recursively on their targets: If node A imports from B, which itself imports from C or has a child that does so, A will effectively import from C too.
This is a powerful mechanism for building hierarchical secret structures, e.g. an admin who has access to a machine that includes various user and service secrets gains access to these secrets too (in order to manage them).
Have a look at the example tree!
Listed in rough order of importance together with their single-letter aliases.
Edit or create a secret. If stdin is a pipe, it will be read into the secret, overwriting it. Otherwise, vipe will be started & given the current value of the secret (or nothing if it was just created) as input.
Decrypt a secret to stdout.
Ensure congruency between structure and storage. This compares the recipient set of every storage entry with the expected key set as derived from the structure tree. If there is a mismatch, the entry will be adjusted accordingly
Regenerate the internal shared key of some secrets.
Generate some secret key files. You can also use basically any file as a key (e.g. your SSH keys, which will be loaded by default). The actual secret key is derived from the file data using Argon2id.
Print public keys corresponding to some secret key files. If only a single file is given, print only the public key. Otherwise, print the public keys together with their respective path, separated by a space.
View the entire tree after validation.
This is mostly useful for debugging your import & export rules.
All key sets will be expanded to include their parent’s keys, unless the flag -x is given.
Then, all keys that occur as a :key property in a node will be replaced
by that node’s uppercased name, unless the flag -n is given.
Dump all accessible secrets into a folder. This exists primarily for the Aquaris secrets module, but maybe you’ll find it useful too?