It also integrates nicely with NixOS (which is what I use, though it does not require NixOS to be used).
I have summed up a bit of explanation and some answers to reasonable questions in a blog post: https://baldino.dev/blog/secs-man/
It also integrates nicely with NixOS (which is what I use, though it does not require NixOS to be used).
I have summed up a bit of explanation and some answers to reasonable questions in a blog post: https://baldino.dev/blog/secs-man/
This is true for secs-man too: when you export it prompts with "Enter passphrase:" and you enter the passphrase (I am considering extending it to read the passphrase from a file or from an environment variable, or piped in from stdin, but I'm still not sure what to think of if from a security standing point and I they don't fit my current use so I don't have it in the current TODO)
What makes it unique is that it can be completely emulated by hand (even though it might be a bit tedious) from just a terminal with bash and age installed. This is explained a bit better in the blog post or in the "philosophy section" of the README, but the main point is that (in my opinion) you should NEVER find yourself vendor-locked-in for any data, in particular for secrets. However, you will always need tools for managing them. My tool is designed to be usable and avoid vendor-lock-in, meaning that even if you lose access to the tool you are not locked out of your tools!
I have probably phrased it better in the linked blog post, I invite you to read it if you're still curious. I'm here for any other question!
First of all, it creates snapshots for each export and it ensures to pull the latest snapshot during import. Also, it manages the hashes of the secrets (created on first export) and of the export, which ensure that the files are not corrupted, so that when I import I can be sure that no bitrot happened and the secrets that get copied on my machine are bit-identical to the ones I exported.
That being said, it's true that this is not a lot of work to be pulling. As I wrote in the blog post, this Rust tool could have been a Bash script. However I opted for not-bash because I don't feel particularly comfortable with bash and I like to have types. If I knew Go, it would have been a solid option
lolpython•1h ago
soiltype•1h ago
Fran314•1h ago
Fran314•1h ago
Also, thank you for the comment! I use it on a weekly basis and it has integrated very nicely with my setup
mrhottakes•52m ago
srean•22m ago