opensecret Build Status

Description

+opensecret+ stashes uncrackable secrets into your +Git+, +S3+, DropBox, Google Drive and filesystems backends. You interface with its intuitive Linux, Windows, iOS front ends and it offers SDKs and plugins for +Ruby+, +Python+, +Go+, +Java+, Jenkins, CodeShip, Ansible, Terraform, Puppet and Chef. Soon, support will be added for database and keystore backends such as +MySQL+, +MongoDB+, +PostgreSQL+, Redis, Memcached and etcd.

opensecret never accesses the cloud for anything - it is designed to operate on a single non-networked laptop if you so wish. opensecret takes a fresh approach to security and challenges common misconceptions - in order to deliver a simple, highly secure credentials management system.

opensecret | Install It

$ gem install opensecret

opensecret | Configure It

$ opensecret keydir /path/to/usb/key/dir
$ opensecret name   joe
$ opensecret email  [email protected]
$ opensecret domain lecturers@harvard
$ opensecret store  https://www.eco-platform.co.uk/crypt/lecturers.git

$ opensecret init

opensecret | All Done!

You are done setting up opensecret with just 5 commands. Simple means less mistakes, less confusion and therefore more secure. Let's recap on the 5 configurations

  • keydir » best practise is a usb key drive with your actual keys
  • name » single word lowercase and short - how your peers call you
  • email » email address (validation scheduled for end of March 2018)
  • domain » joe@home if single or a team like [email protected]
  • store » a Git project URL to hold your encrypted secret material

The opensecret init command

  • creates a 8192 bit uncrackable private key
  • collects a human password and creates a machine password
  • locks the private key with a minimum 64 character amalgamated password
  • locks the public key's fingerprint making it tamper proof
  • creates a base directory on your backend store

Now you are ready to begin locking and unlocking and soon, you'll be able to request a secret (like a WiFi or NetFlix password) from others in your group. You too can either acquiesce (or reject) requests from your colleagues, friends and family.

One Lock | Two Keys

With suitcases, the key that locks the suitcase also opens it.

In cryptography - you have two keys. You give out your public key and anyone can lock any suitcase (of goodies) with your public key. Once done, that suitcase can only be opened with the other key, your private key. opensecret creates an 8192 bit private key which is simply uncrackable.

The safest place to put your private key is on a USB key drive which you carry around with your real keys. And to top it all - a password that only you know is used to lock your private key.

For scripts that cannot stop and wait for user input - keys can optionally be created with a password given at the command line.

$ opensecret init --password="p455w0rd.!0NDUN"

opensecret configuration

Aside from your private keys, opensecret keeps a small amount of configuration within the .opensecret folder off your home directory. A typically opensecret.ini file within that folder looks like

[[email protected]]
type    = user
id      = joe
keydir  = /media/joe/usb_drive
domains = [ lecturers@harvard ]
default = true
printx  = asdfasdfas65as87d76fa97ds6f57as6d5f87a
printy  = asdfasdfas65as87d76fbbbasdfas0asd09080
printz  = adsfasdflkajhsdfasdf87987987asd9f87987

[lecturers@harvard]
type    = domain
store   = git
url     = https://www.eco-platform.co.uk/crypt/lecturers.git

Backend Storage Options

The planned list of backend storage systems (each onlined with a plugin), is

  • Git (including GitHub, GitLab, BitBucket, OpenGit and private Git installations).
  • S3 Buckets from the Amazon Web Services (AWS) cloud.
  • SSH, SCP, SFTP connected file-systems
  • network storage including Samba, NFS, VMWare vSAN and
  • GoogleDrive (only Windows has suitable synchronized support).

Access management is configured EXTERNAL to opensecret. Opensecret simply piggybacks the network transport if authorization is granted.

How to Join a Domain

  • opensecret will loop encrypting your public key's fingerprint with the public keys of present members
  • when they interact opensecret will ask if they trust the new id/email and key
  • if they say yes the fingerprint is imported and held with id/name
  • ongoing domainwide checks flag up public key / fingerprint mismatches
  • if keys are removed or updated similar questions are asked.

Why Beg for Secrets?

Why beg for a secret - why not just tell someone it?

It is much more secure to beg for a secret than just have someone reveal it. When you beg for a secret - you are sending an encryption key to a single person who must possess the private key and they send back the secret encrypted with both your specific public key and the encryption key that originated from you.

Any hijacker will need access to a great many things and be very precise with their timing in order to serrupticiously subvert the system.

opensecret | Summary

You can use opensecret alone or you can use it to share secrets with colleagues, friends and family, even machines.

Every domain is tied to backend storage which is accessible by you and others in your domain. You can use Git, S3, a networked filesystem or shared drive, a SSH accessible filesystem and soon, free storage from opensecret.io

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake test to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/opensecret. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

License

MIT License Copyright (c) 2006 - 2014

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Code of Conduct

Everyone interacting in the OpenSecret project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.