eenvdir is a simple commandline utility inspired by
Find it on GitHub: sufianrhazi/eenvdir
envdir and really the whole
daemontools suite of commandline utilities are
deceptively simple and powerful tools for managing UNIX services. While the original
envdir is fantastic, I've found a
common need to pass a set of "secret" environment variables that are stored encrypted at rest on disk.
eenvdir is a tiny reimplementation of
envdir (102 LoC, including documentation) that allows environment variable
files to be encrypted via AES-256 in CBC mode with a shared password across all files in the directory.
This encryption strategy not meet your needs if you work with others on complex infrastructure. I personally manage a handful of hosts and this works great for me. If you're doing complex things, you may want to look at KMS, Vault, or Keywhiz.
eenvdir to be "complete." Unless AES-256 is found to be broken or a security vulnerability is found in
python's standard library, I will not maintain or modify this software.
- python3 (at least 3.6)
- openssl (supporting
enc -d -aes-256-cbc)
Copy/symlink eenvdir to somewhere on your path.
ln -s "$(pwd)/eenvdir" /usr/local/bin/eenvdir
Usage: eenvdir [--password-via-fd=N] DIR CMD [ARG] ... Run CMD with environment modified according to files in DIR If DIR contains a file named KEY.aes it is decrypted and proceeds as if the file was named KEY. Decryption via: openssl enc -d -aes-256-cbc -salt If DIR contains a file named KEY whose first line is VAL, envdir removes an environment variable named KEY if one exists, and then adds an environment variable named KEY with value VAL. The name KEY must not contain =. Spaces and tabs at the end of VAL are removed. Nulls in VAL are changed to newlines in the environment variable. If the file KEY is completely empty (0 bytes long), envdir removes an environment variable named KEY if one exists, without adding a new variable. Exits 111 if it has trouble reading DIR, if it runs out of memory for environment variables, or if it cannot run child. Otherwise its exit code is the same as that of child. Options: --password-via-fd=N fd N is read and closed; password is the contents