package passage

  1. Overview
  2. Docs
Passage - used to store and manage access to shared secrets

Install

Dune Dependency

github.com Readme Changelog MIT License Edit opam file Versions (2)

Authors

  1. A
    Ahrefs Pte Ltd <github@ahrefs.com>

Maintainers

  1. A
    Ahrefs Pte Ltd <github@ahrefs.com>

Sources

passage-0.1.3.tbz
sha256=c5116e7ac112dd67135389540742d957e79132be92467b9c3035d6523a12b91f
sha512=00c250c577a754c714361302253e74bd8daccce94873321f9cd5abd2a402657b75b2b720989aac0f1a95f51bc0fbcb764ffa688ffb01e35b8d475a27036805d0

README.md.html

Passage

passage - store and manage access to shared secrets

Installation

apt install age
opam install . --deps-only

Development

Building the project

make build

Running tests

make test

Secret format

Multi-line secrets with comments:

<empty line>
possibly several lines of comments
without empty lines
<empty line>
secret until end of file

Multi-line secrets without comments:

<empty line>
<empty line>
secret until end of file

Single-line secrets with comments:

single-line secret
<empty line>
comments until end of file

Single-line secrets without comments:

single-line secret

The rationale for why we have 2 distinct secret formats for multi-line and single-line secrets (and not just multi-line secrets) is mainly for backward compatibility reasons since most of the existing secrets are of the "single-line secret" format.

Commands

Reading secrets

passage get [-c, --clip] [-l, --line=LINE] [-q, --qrcode] [-s, --singleline] SECRET_NAME

  • Outputs the content of the text of the secret in SECRET_NAME, excluding comments

passage secret [-c, --clip] [-l, --line=LINE] [-q, --qrcode] [-s, --singleline] SECRET_NAME

  • An alias of passage get

passage cat [-c, --clip] [-l, --line=LINE] [-q, --qrcode] SECRET_NAME

  • Outputs the whole content of the secret in SECRET_NAME, including comments

passage show SECRET_NAME

  • Outputs the whole content of the secret in SECRET_NAME, including comments. Behaves differently when used with PATHs, please check below.

Templating with secrets

passage template TEMPLATE_FILE [TARGET_FILE]

  • Generates TARGET_FILE by substituting all secrets in TEMPLATE_FILE

  • Secrets in TEMPLATE_FILE are denoted with the following format {{{subdir/secret_name}}}. In particular, note the following:

    • Three opening and closing braces

    • No leading and trailing whitespaces before and after secret_name

    • secret_name must start with an alphanumeric character (either lowercase or uppercase), followed by 0 or more alphanumeric characters, underscores, hyphens, slashes, or dots (reference: template_lexer.ml)

  • Example when substituting a single-line secret:

    $ cat template_file
{
  "non_secret_config1": "hello",
  "sendgrid_api_key": "{{{sendgrid_api_key}}}",
  "non_secret_config2": "bye",
}

$ passage get sendgrid_api_key
thesupersecretkey
the above is the sendgrid api key!

$ passage template template_file
{
  "non_secret_config1": "hello",
  "sendgrid_api_key": "thesupersecretkey",
  "non_secret_config2": "bye",
}

  • Example when substituting a multi-line secret:

    $ cat template_file
foo{{{multiline_secret}}}bar

$ passage get multiline_secret

comment_line 1
comment_line 2

secret_line 1
secret_line 2

$ passage template template_file target_file

$ cat target_file
foosecret_line 1
secret_line 2bar

passage subst [TEMPLATE_ARG]

  • similar to passage template, but you pass in a string template and the result is output to stdout

    $ passage secret test/secret
unbelievable stuff

$ passage subst "This secret is {{{test/secret}}}"
This secret is unbelievable stuff

passage template-secrets [TEMPLATE_FILE]

  • returns a list of sorted secrets identified in that template file per the parse format

  • secrets are not checked for existence

Specifying recipients

Secrets' recipients are specified in the .keys file in the immediately containing folder. The first time a folder is used, passage will create this file. If no recipients are specified, it falls back to the caller as the sole recipient based on the file referenced by $PASSAGE_IDENTITY.

Recipients are not inherited from containing (parent) folders. Recipients in a folder can only be increased when added by the existing recipients.

All secrets in a given folder must share the same set of recipients.

passage edit-who SECRET_NAME

  • edit the recipients for the specified secret (and path).

Creating or updating secrets

passage new SECRET_NAME

  • Interactive secret creation using $EDITOR and prompts.

  • Can only be used in interactive shell

passage create SECRET_NAME

  • Creates a secret using contents from standard input. Use Ctrl+d twice to signal end of input.

  • Can pipe from another command into passage create. E.g.:

$ echo "secret" | passage create secret_folder/secret

passage edit SECRET_NAME

  • Interactive editing of SECRET_NAME using $EDITOR

  • Can only be used in interactive shell

passage replace SECRET_NAME

  • Replaces SECRET_NAME's secret with the user input and keeps the comments. Use Ctrl+d twice to signal end of input.

  • If you use replace on a secret that doesn't exist, it creates a new secret without comments (only in folders where the user is already a recipient)

passage rm [--force] [--verbose] SECRET_NAME / passage delete [--force] [--verbose] SECRET_NAME

  • Deletes SECRET_NAME path

  • If SECRET_NAME is the only secret in that folder, passage deletes the whole folder

Managing secrets

passage list [PATH] / passage ls [PATH]

  • Recursively list all secrets in PATH

passage search PATTERN [PATH]

  • List all secrets in PATH containing contents matching PATTERN

passage show [PATH]

  • Recursively list all secrets in PATH in a tree-like format

  • Will work the same way as cat when used with secret names instead of a PATH. Doesn't take any arguments or flags

passage refresh [PATH]

  • Re-encrypts all secrets in PATH per the recipients in the corresponding .keys file

passage who [PATH]

  • List all recipients of secrets in PATH

passage what RECIPIENT_NAME

  • List all secrets that RECIPIENT_NAME has access to

Environment Variables

PASSAGE_DIR

  • Overrides the default passage directory.

PASSAGE_KEYS

  • Overrides the default passage keys directory.

PASSAGE_SECRETS

  • Overrides the default passage secrets directory.

PASSAGE_IDENTITY

  • Overrides the default identity .key file that will be used by passage

PASSAGE_X_SELECTION

  • Overrides the default X selection to use when clipping to clipboard. Allowed values are primary, secondary, or clipboard (default).

PASSAGE_CLIP_TIME

  • Overrides the default clip time. Specified in seconds.

Utilities

passage healthcheck

  • checks for issues with secrets, and for directories without .keys file

passage realpath [--verbose] [PATH]

  • show the full filesystem path to secrets/folders

OCaml

Innovation. Community. Security.

GitHub Discord Twitter Peertube RSS
About
Changelog Releases Industrial Users Academic Users Why OCaml
Ecosystem
Packages Community Events OCaml Planet Jobs
Resources
Install OCaml Get Started Platform Tools Language Manual Standard Library API Books Exercises Papers OCaml Playground Logo
Policies
Carbon Footprint Governance Privacy Code of Conduct