view release on metacpan or  search on metacpan

README  view on Meta::CPAN

NAME

    groupsecret - A simple tool for maintaining a shared group secret

VERSION

    version 0.304

SYNOPSIS

        groupsecret [--version] [--help] [-f <filepath>] [-k <privatekey_path>]
                    <command> [<args>]
    
        groupsecret add-key [--embed] [--update] <publickey_path> ...
    
        groupsecret delete-key <fingerprint>|<publickey_path> ...
    
        groupsecret list-keys
    
        groupsecret set-secret [--keep-passphrase] <path>|-|rand:<num_bytes>
    
        groupsecret [print-secret] [--no-decrypt]

DESCRIPTION

    groupsecret is a program that makes it easy for groups to share a
    secret between themselves without exposing the secret to anyone else.
    It could be used, for example, by a team to share an ansible-vault(1)
    password; see "ansible-vault" for more about this particular use case.

    The goal of this program is to be easy to use and have few dependencies
    (or only have dependencies users are likely to already have installed).

    groupsecret works by encrypting a secret with a symmetric cipher
    protected by a secure random passphrase which is itself encrypted by
    one or more SSH2 RSA public keys. Only those who have access to one of
    the corresponding private keys are able to decrypt the passphrase and
    access the secret.

    The encrypted secret and passphrase are stored in a single keyfile. You
    can even commit the keyfile in a public repo or in a private repo where
    some untrusted users may have read access; the secret is locked away to
    all except those with a private key to a corresponding public key that
    has been added to the keyfile.

    The keyfile is just a YAML file, so it's human-readable (except of
    course for the encrypted parts). This make it easy to add to version
    control and work with diffs. You can edit the keyfile by hand if you
    learn its very simple structure, but this program makes it even easier
    to manage the keyfile.

OPTIONS

 --version

    Print the program name and version to STDOUT, and exit.

    Alias: -v

 --help

    Print the synopsis to STDOUT, and exit.

    Alias: -h

 --file=path

    Specify a path to a keyfile which stores a secret and keys.

    Defaults to the value of the environment variable "GROUPSECRET_KEYFILE"
    or groupsecret.yml.

    Alias: -f

 --private-key=path

    Specify a path to a PEM private key. This is used by some commands to
    decrypt the passphrase that protects the secret and is ignored by
    commands that don't need it.

    Defaults to the value of the environment variable
    "GROUPSECRET_PRIVATE_KEY" or ~/.ssh/id_rsa.

    Alias: -k

COMMANDS

 add-key

        groupsecret add-key path/to/mykey_rsa.pub

    Adds one or more SSH2 RSA public keys to a keyfile. This allows the
    secret contained within the keyfile to be accessed by whoever has the
    corresponding private key.

    If the --embed option is used, the public keys will be embeded in the
    keyfile. This may be a useful way to make sure the actual keys are
    available in the future since they could be needed to encrypt a new
    passphrase if it ever needs to be changed. Keys that are not embedded
    will be searched for in the filesystem; see "GROUPSECRET_PATH".

    If the --update option is used and a key with the same fingerprint is