| src | ||
| .gitignore | ||
| Cargo.lock | ||
| Cargo.toml | ||
| README.md | ||
Keybox
Keybox is a crypto toolset and server for secrets and keys.
It mainly wraps a clean workflow using sops, age, minisign, with additional server side services.
See Usage for an overview of features and use cases.
Features
- Keyserver to broadcast public keys and identities
- Secret storage for arbitrary data in key value store
- Lockdown Mode (completely seal everything)
- Secrets API & GUI
Setup
#todo
Usage
Key Managent
#todo
Key Server
Keybox provides an index of public keys for age and minisign.
Local Encryption Workflow
# Add a key
kbx key new [--no-commit] <name> <age_key>
# Create a creation rule
kbx add-rule <name> ≤path_regex> <encrypted_regex>
# Allow secret access
kbx key allow [--no-commit] <name> <rule_name>
# See status
kbx status
# Edit or create an encrypted file
kbx edit <file>
# Set raw yml values
kvx set <file> <key> <val>
# Renew a key
kbx key renew [no-commit] <name> <age_key>
Working with the Server
# Login to a keybox server
kbx login <server>
# Push your local secrets
kbx push --name <name> <file>
# List your secrets
kbx secret list
# Get a secret
kbx secret get <secret>
# Set a secret
kbx secret set <secret> <value>
Generate a shared secret (OTP)
The person accessing the secret makes it vanish without trace.
This can be used for sending passwords or other sensitive information securely.
Use the following command to print out a new URL you can pass around data an insecure channel.
# Make a new shared secret
kbx otp new <secret>
LUKS
Decrypt LUKS device with a remote keyfile (Never stored on your device):
kbx secret get luks/mykey | cryptsetup open /dev/sdXn my_crypt --key-file -
Sops-Nix
With sops-nix you declare secrets like:
sops.secrets.secret_pass = {
format = "yaml";
sopsFile = ./secrets/secrets.yml;
};
But if you dont want to store the secrets besides the flake in public (even though they are encrypted), you can push them to keybox and pull them in the derivation:
sops.secrets.secret_pass = let
kbxSecret = { host, name, sha256 }: pkgs.fetchurl {
url = "${host}/secret/${name}";
inherit sha256;
};
in {
format = "yaml";
sopsFile = kbxSecret {
name = "secrets";
host = "kbx.example.com";
sha256 = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
};
};
Caution: After every reencryption (key rotation, etc) you need to update the hash (printed as
Fingerprint), otherwise Nix reuses the old state.
This way secrets still end up (encrypted) in the Nix Store, but you get:
- No secrets in public repositories
- Access Logging of secret access