shh(1) manages secrets for projects and small teams. Secrets are encrypted and safe to commit to version control software like git.
Unlike Hashicorp Vault, shh(1) requires no infrastructure. There's no server to manage and secure -- just a single file.
NOTE: This code has not been audited, and was not written by an expert cryptographer. Caveat emptor.
While I make every effort to follow Go stdlib's crypto examples closely and research best practices, I am not an expert in the field. There might be vulnerabilities, and some might be severe. Until this is audited, you should treat secrets stored by shh as "better than plaintext, but not by much."
If you have a background in cryptography and wish to help audit or provide feedback, please reach out on the mailing list.
See this article on Secret Management to understand the rational for this as well as example uses of the command.
$ git clone email@example.com:~egtann/shh && cd shh $ make $ sudo make install
After installation, check the man pages for usage information for shh(1).
shh(1) uses envelope encryption to keep your project secrets secure.
creates 4096-bit RSA keys in your home directory, encrypting the private key
with a mandated 24-char minimum length password, which is long enough to
prevent re-use/memorization and forcing use of a password manager.
Each secret is encrypted with a random AES-256 key using GCM. The AES key is encrypted using your RSA public key and stored alongside the secret.
As of v1.8.0, the following security vulnerability is fixed:
To report bugs, discuss functionality or submit patches, email this list.
-nnon-interactive mode, memguard dependency