eenvdir
Last updated
eenvdir is a simple commandline utility inspired by envdir
Find it on GitHub: sufianrhazi/eenvdir
Motivation
envdir and really the whole daemontools suite of commandline utilities are
deceptively simple and powerful tools for managing UNIX services. While the original envdir is fantastic, I've found a
common need to pass a set of "secret" environment variables that are stored encrypted at rest on disk.
eenvdir is a tiny reimplementation of envdir (102 LoC, including documentation) that allows environment variable
files to be encrypted via AES-256 in CBC mode with a shared password across all files in the directory.
This encryption strategy not meet your needs if you work with others on complex infrastructure. I personally manage a handful of hosts and this works great for me. If you're doing complex things, you may want to look at KMS, Vault, or Keywhiz.
I consider eenvdir to be "complete." Unless AES-256 is found to be broken or a security vulnerability is found in
python's standard library, I will not maintain or modify this software.
Requirements
- python3 (at least 3.6)
- openssl (supporting
enc -d -aes-256-cbc)
Installation
Copy/symlink eenvdir to somewhere on your path.
Or just ln -s "$(pwd)/eenvdir" /usr/local/bin/eenvdir
Usage
Usage: eenvdir [--password-via-fd=N] DIR CMD [ARG] ...
Run CMD with environment modified according to files in DIR
If DIR contains a file named KEY.aes it is decrypted and proceeds as if the
file was named KEY. Decryption via: openssl enc -d -aes-256-cbc -salt
If DIR contains a file named KEY whose first line is VAL, envdir removes an
environment variable named KEY if one exists, and then adds an environment
variable named KEY with value VAL. The name KEY must not contain =. Spaces
and tabs at the end of VAL are removed. Nulls in VAL are changed to
newlines in the environment variable.
If the file KEY is completely empty (0 bytes long), envdir removes an
environment variable named KEY if one exists, without adding a new
variable.
Exits 111 if it has trouble reading DIR, if it runs out of memory for
environment variables, or if it cannot run child. Otherwise its exit code is
the same as that of child.
Options:
--password-via-fd=N fd N is read and closed; password is the contents