CHAIN - secure and convenient temporary storage of credentials
A tool for securely storing and loading secrets into commandline tools.
Inspired by and related to envchain, aws-vault, chamber.
Chain works entirely locally and does not depend on any external services.
Installation
Methods:
- Download from Releases and place on $PATH
- Use hermit with custom source
- Setup hermit for project level tooling: https://cashapp.github.io/hermit/usage/get-started/
- Source: https://github.com/zph/hermit-packages
hermit install chain
Usage
See docs for full commands
echo "AWS_SECRET_KEY_ID=FAKEKEY" | chain set aws-creds
chain get aws-creds
chain exec aws-creds -- aws s3 ls...
# ENV variables
CHAIN_PASSWORD=<password used in keychain for storing key>
CHAIN_STORE=[1-5 see chain.proto for examples]
CHAIN_DIR=<directory for files stored on disk, default=.chain>
See the proto for which stores are available and their respective cmd/*_store.go and stores files for implementation. They can also be seen in proto.
Changes
- goreleaser creates binary as
chain - setup Github Actions
- setup goreleaser in Github Actions
- Use https://github.com/99designs/keyring with JWT backend
- Remove custom behavior for setting/storing keys and use wrapper tooling
- Use field based logger
- Use age store with expiring keys from initial generation of 10 pub/priv keys
- Setup an
agebased backend to replace JOSE - Generate docs from commands: https://github.com/spf13/cobra/blob/main/doc/README.md
TODO
- Store UUID filename instead of leaking information about what env vars are stored
- Use reverse index (EnvToUUID) stored as protobuf in
INDEXkey - Store values as
k/vpairs with UUID as outer key for filename - Setup keyctl with expiring keys
- Encrypt .PUBLIC_KEYS to remove threat model of someone tampering with those when re-keying
Credit
Originally forked from https://github.com/evanphx/schain.