A CLI secret manager
secman is a command line tool for handling secrets (like passwords, credentials etc). The reason of this CLI
is to give the user control of where and how the secrets are stored, and to not rely on a third party on keeping
the secrets safe.
The default (and initially only supported) storage method stores the secret collection in a file on a local (or network) filesystem. This file is encrypted with AES-256-GCM and the key is generated by the CLI.
The secrets are each individually encrypted with AES-256-GCM with a key generated from a password set by the user.
These keys are stored in the credential manager/keychain of the OS the CLI is run on. These are:
- Keychain for macOS
- Credential Manager (wincred) for Windows
- Secret Service (dbus) for Linux
There are plans on plugins that enables the secrets to be stored on various storage providers. This does put some reliance on a third party, but the case still stands; the keys for the collection and the secrets being in the hands of the user.
Install scripts for the various OS are underway and worked upon. For now either:
- Manual install (download from releases)
- Use
go install - Build from source
- Go to releases.
- Download the archive that matches the systems operating system and architecture.
- Extract the binary and move it to an appropriate target destination (preferably in
$PATH):
# tar.gz
tar -xvf secman-<version>-<os>-<arch>.tar.gz && mv secman /path/to/target/directory
# zip
unzip secman-<version>-<os>-<arch>.zip && mv secman /path/to/target/directoryNote: The archive file contains the binary secman together with README.md, LICENSE and LICENSE-THIRD-PARTY.md.
go install github.com/KarlGW/secmanBuilding from source requires Go v1.21.1 installed on the system.
git clone github.com/KarlGW/secman
cd secman
OS=<os> # darwin, linux or windows.
ARCH=<arch> # amd64 or arm64.
GOOS=$OS GOARCH=$ARCH go build -ldflags="-w -s" -trimpath -o build/secman cmd/secman/main.goTo enable auto/tab completion for secman follow the steps below depending on shell.
Bash
Current session:
PROG=secman source <(secman completion bash)For all sessions:
echo -e "\n# secman\nPROG=secman source <(secman completion bash)" >> ~/.bashrcZsh
Current session:
PROG=secman source <(secman completion zsh)For all sessions:
echo -e "\n# secman\nPROG=secman source <(secman completion zsh)" >> ~/.zshrcPowerShell
First create the autocompletion script:
./secman completion powershell >> "$(Split-Path $PROFILE)/secman.ps1"Current session:
& "$(Split-Path $PROFILE)/secman.ps1"For all sessions:
"& $(Split-Path $PROFILE)/secman.ps1" >> $PROFILEWhen using secman the key for the secret collection will be generated and set in the credential manager. Then
a "master password" must be used to generate the key for the secret.
secman profile new
secman profile set --password
# Or set a password when creating the profile.
secman profile new --passwordThis will prompt for a password. This will generate a key and set it in the credential manager, and this key will be used for encrypting the secrets in the collection.
To update the password/key for all current and future secrets, run the command again.
secman generateSet value from flag
secman create --name <name> --value <secret-value>Set value from clipboard
secman create --name <name> --clipboardSet value from stdin pipe
# Provided value
echo "value" | secman create --name <name>
# Generate
secman generate | secman create --name <name>List details of all secrets
secman listShow details of a secret
secman get --name <name>Get the value of the secret
secman get --name <name> --decryptGet the value of the secret and set to clipboard
secman get --name <name> --decrypt --clipboard(The value will not be shown, it will be available within the OS clipboard ready to be pasted where needed)
Update value from flag
secman update --name <name> --value <new-secret-value>Update value from clipboard
secman update --name <name> --clipboardUpdate value from stdin pipe
# Provided value
echo "value" | secman update --name <name>
# Generate
secman generate | secman update --name <name>secman delete --name <name>The currently set profile and it associated file and secret encryption keys can be exported. Before a file is exported the secret key (password) of the profile must be entered. In addition to this the resulting file is encrypted with yet another password.
This password must be used when importing the profile to decrypt the file.
secman profile export --file <output-file>secman profile import --file <input-file>