This repository has been migrated to https://codeberg.org/puppe/secrets.

Secrets is a simple, little program that copies files which contain secrets like passwords or keys from one UNIX computer (the host) to another (the target) using SSH. The files to be copied as well as their desired permissions on the target computer are specified in a simple JSON file.

• Racket (on the host)
• OpenSSH
• the base64 command line tool
• Bash (on the target)
• sudo (on the target)

SSH client or server implementations other than OpenSSH may work as well.

secrets [<config-file>]

Secrets will look for a configuration file named secrets.json in the current working directory. An alternative configuration file can be supplied as a command-line argument. Secrets will not work without a configuration file.

WARNING: Secrets copies all files to a single directory. All other files which are in that directory will be deleted.

Example:

{
    "target": "johndoe@example.org",
    "basedir": "/path/to/dir",
    "files": [
        "path/to/file",
        {
            "source": "path/to/other/file",
            "name": "foobar",
            "owner": "root",
            "group": "users",
            "mode": "640"
        }
    ]
}

The content of your configuration file should be a JSON object with the following keys:

target (required): the target computer which the files are copied to. This can be anything that is accepted by the OpenSSH client as a destination. See man ssh for details.

basedir (optional): the directory on the target which files are copied to. All other files which are in that directory will be deleted. The default value for this key is "/var/lib/secrets".

files (required): a list of files that will be copied to the target. See the next section for details.

A file can be specified in two ways, either as an object or as a simple string. If a file is specified as an object, the object should have the following keys:

source (required): the path to a file that will be copied to the target. If the path is relative, it will be interpreted relatively to the location of the configuration file.

name (optional): the name of the file on the target computer. The default value for this key is the name of the file on the host computer.

owner (optional): the owner of the file on the target computer. The default value for this key is "root".

group (optional): the group of the file on the target computer. The default value for this key is "root".

mode (optional): the mode of the file on the target computer. See man chmod for details. The default value for this key is "400".

If a file is specified as a string "path/to/file", this is equivalent to

{
    "source": "path/to/file",
}

Copyright 2020 Martin Puppe

This file is part of Secrets.

Secrets is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Secrets is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with Secrets. If not, see https://www.gnu.org/licenses/.