Giter Site home page Giter Site logo

agebox's Introduction

agebox

agebox

CI Go Report Card Apache 2 licensed

Easy and simple file repository encryption tool based on Age.

Have you ever though "this should be simple" while you were using tools like Blackbox , Git-crypt or Sops? This is what agebox is. A tool on top of Age's security system that encrypts/decrypts your repository files, focused on simplicity and gitops.

Features

  • Secure (Agebox delegates security to Age).
  • Tracks encrypted files in repository.
  • No PGP and no agents, just simple SSH and Age key files.
  • File flexibility (encrypts/decrypts recursive paths, multiple/single files, all tracked files...).
  • Reencrypts all tracked files with a single command.
  • Focused on Gitops, CI flows and simplicity.
  • Works with any file (doesn't understand formats like JSON, YAML...).
  • Single binary/executable.
  • No side effects like VCS commands (e.g: doesn't execute Git commands for you).

Get agebox

Getting started

Initialize agebox tracking file.

agebox init

Encrypt (and track) multiple files.

agebox encrypt ./app1/secret1.yaml ./app2/secret1.yaml

Encrypt (and track) a directory in dry-run to see what would be encrypted before doing it.

agebox encrypt ./secrets --dry-run

Decrypt a subset of tracked secrets and a file.

agebox decrypt ./secrets/team-1 ./secrets/secret1.yaml

Validate all tracked encrypted files exist and decryption is possible.

agebox decrypt --all --dry-run --force --no-log

Reencrypt all files.

agebox reencrypt

Untrack multiple files.

agebox untrack ./secrets/secret1.yaml ./secrets/secret2.yaml

Untrack and delete file.

agebox untrack ./secrets/secret1.yaml --delete

How does it work

When you initialize agebox on a repository it will create a file (.ageboxreg.yml) that will track all the encrypted files in the repository.

From now on if you encrypt files with agebox from the root of the repository it will:

  • Track the files if not already tracked.
  • Encrypt the files with the public keys in ./keys or --public-keys as recipients.
  • If is a directory it will expand to all the files in the directory and subdirectories.

As a regular flow of agebox usage examples, you can:

  • Decrypt tracked files as a single file, multiple files, a directory and its subdirectories...
  • Decrypt all tracked files (--all).
  • Reencrypt all tracked files with the public key recipients.
  • Encrypt all tracked files (--all) that are decrypted in the repository.
  • Untrack a file (and optionally delete from the file system).
  • Encrypt/decrypt in dry-run to validate (handy en CI for checking).

Check the Getting started section for specific commands.

Keys

Agebox supports the same asymmetric keys Age does:

  • X25519 (Age).
  • RSA SSH.
  • Ed25519 SSH.

Public keys

The public keys are the recipients of the encrypted files. With their respective private keys, users will be able to decrypt the files.

Public keys should be on a directory relative to the root of the repository (by default ./keys) at the moment of invoking encryption commands, this simplifies the usage of keys by not requiring pgp keys or agents.

Agebox will encrypt with the loaded public keys, this means that when we add or remove any public key we should reencrypt the tracked files.

In case you don't want to have all the public keys in all the repositories that are managed by agebox, you could centralize these keys in another repository andgetting them before invoking agebox. Some usage examples:

  • Git submodule git pull --recurse-submodules.
  • Git repo and previous agebox command invoke git clone/pull.
  • Download public keys from S3.

You can configure this with --public-keys flag or AGEBOX_PUBLIC_KEYS env var.

You can have multiple public keys in a file (one per line), like Age recipients file.

Private keys

Private key (singular) should be passed whenever a decrypt operation is made.

You can configure this with --private-key flag or AGEBOX_PRIVATE_KEY env var.

Alternatives

  • Blackbox: Uses PGP (requires an agent), complex and sometimes has undesired side effects (e.g git commands execution).
  • Sops: Lots of features and very complex for simple use cases.
  • Git-crypt: Uses PGP (requires an agent), complex, 100% tied to Git.

Kudos

Thanks to @FiloSottile, @Benjojo12 and all the other contributors of Age.

Without Age, Agebox would not exist.

agebox's People

Contributors

slok avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.