I like the GPG key based ACL of this tool and can see how it prevents leaks.
But I fail to imagine the real-world usage in a team of developers and I cannot find one in the documentation.
Is is something like:
- Alice, Bob and Charlie are working on a software source code versioned by git repository (and shared amongst them via GitHub, GitLab or any other central git repository).
- Alice want to store MySQL password into software's git repository but doesn't want neither Bob nor Charlie to have access to this secret.
- Alice creates a
secrets directory into software's source code directory on it's computer, cd into it and run sy vault init to initialize the sheesy vault "secrets".
- Alice runs
git add . ; git commit -m "Created a secrets sheesy vault" to commit the vault creation.
- Alice adds the MySQL password to the vault with:
echo s3cre7 | sy vault add :mysql-password.
- Alice runs
git add . ; git commit -m "Added MySQL password to the secrets vault"; git push origin for the changes the sy vault add command did on the sheesy vault ("secrets") are saved to the git repository.
- After some time, Alice trusts Bob to read secrets, so Alice asks Bob to run (on it's computer):
cd secrets ; sy vault recipient init to add it's GPG key to possible recipients and git add . ; git commit -m "Adding Bob's key to the secrets vault" ; git push origin to persist the changes to the git repository.
- Alice can now run
cd secrets ; sy vault recipient add 7DF95D5E and git add . ; git commit -m "Granting Bob's key access to secrets sheesy vault" ; git push origin and tells Bob that she granted him access to the "secrets" vault.
- Bob can now
cd secrets and finally read the MySQL with sy vault show mysql-password.
- Charlie see the commits, see the list of secrets (using
sy vault) but can never read them.
Notes:
- I am intentionally omitting the parts where Alice, Bob and Charlie runs their
git fetch and git merge commands.
- On point 2., if Alice wants to store the password into software's git repository, could it be because software's deployment script will need it (in which case a other recipient should be added)?
I like the GPG key based ACL of this tool and can see how it prevents leaks.
But I fail to imagine the real-world usage in a team of developers and I cannot find one in the documentation.
Is is something like:
secretsdirectory into software's source code directory on it's computer,cdinto it and runsy vault initto initialize the sheesy vault "secrets".git add . ; git commit -m "Created a secrets sheesy vault"to commit the vault creation.echo s3cre7 | sy vault add :mysql-password.git add . ; git commit -m "Added MySQL password to the secrets vault"; git push originfor the changes thesy vault addcommand did on the sheesy vault ("secrets") are saved to the git repository.cd secrets ; sy vault recipient initto add it's GPG key to possible recipients andgit add . ; git commit -m "Adding Bob's key to the secrets vault" ; git push originto persist the changes to the git repository.cd secrets ; sy vault recipient add 7DF95D5Eandgit add . ; git commit -m "Granting Bob's key access to secrets sheesy vault" ; git push originand tells Bob that she granted him access to the "secrets" vault.cd secretsand finally read the MySQL withsy vault show mysql-password.sy vault) but can never read them.Notes:
git fetchandgit mergecommands.