Show HN: Secs-man, a secrets manager you can (not) rely on(github.com)
25 points by Fran314 5 hours ago | 7 comments
bglusman 1 hour ago
This is an interesting motivation for the project... I kind of get it, but, have you looked at fnox[0][1]? Curious how you'd compare/contrast goals with that if so, I think I prefer that as its not coupled to a single encryption tool (age) but supports age as well as multiple cloud or local options behind one unified interface... I think it can even mix multiple stores together? but I may be missing something/didn't read thoroughly yet...maybe there's a reason fnox doesn't work as well with Nix? fnox was discussed here previously[2]

[0]https://github.com/jdx/mise/discussions/6779 [1]https://github.com/jdx/fnox [2]https://news.ycombinator.com/item?id=45722931

Fran314 16 minutes ago
I didn't know about it existence, it looks like a nice project! Also, it would probably play nicely with Nix (by writing wrappers instead of symlinks)

However it doesn't fit quite the same niche that my tool does. If I understand it correctly (though I only read those two links) fnox is more about how to use the secrets, ie given an encrypted description of the secrets, how to make them accessible to programs (kind of like sops?)

With my tool, secrets on the device are in plaintex and simply accessed by path reference by the respective programs. The focus of secs-man is more on exporting, ensuring integrity, and importing (possibly to remote machines). All of this, while being manually recoverable even without the tool.

Still, interesting project! Might take inspiration from it for some features

pzacik 2 minutes ago
What advantages does this have compared to something like the .kdbx format invented by KeePass, which is open and implemented by many other open-source tools than KeePass itself?
lolpython 3 hours ago
It reads to me as "sex man" but aside from that, looks useful!
Fran314 3 hours ago
As pointed out by the other user, yes it is intentional, I always like a silly name

Also, thank you for the comment! I use it on a weekly basis and it has integrated very nicely with my setup

mrhottakes 3 hours ago
The name is great, we should bring whimsy back to software
srean 3 hours ago
And in these neck of the woods man is a short for manual. Funny name.
3 hours ago
soiltype 3 hours ago
I have to assume that's intentional, lol
Fran314 3 hours ago
Yes, that was intentional. Originally it was just called "secrets-manager", I decided to shorten it only because it was (not really) too long to type, and a friend of mine had the realization that you can abbreviate it to something that sounds funny!
philipallstar 1 hour ago
This project is screaming for a pronunciation guide.
bhuvanbk007 3 hours ago
So is this like a encrypt tool where we pass an external key to encrypt and we can use other apps to decrypt since key is not embedded in the tool? Or am I understanding it wrong?
Fran314 3 hours ago
That is true, but it's not specifically what makes it unique. Most encryption tool (like https://github.com/FiloSottile/age which is what secs-man uses under the hood) do not usually bake in the encryption key, rather they expect you to generate it and provide it.

This is true for secs-man too: when you export it prompts with "Enter passphrase:" and you enter the passphrase (I am considering extending it to read the passphrase from a file or from an environment variable, or piped in from stdin, but I'm still not sure what to think of if from a security standing point and I they don't fit my current use so I don't have it in the current TODO)

What makes it unique is that it can be completely emulated by hand (even though it might be a bit tedious) from just a terminal with bash and age installed. This is explained a bit better in the blog post or in the "philosophy section" of the README, but the main point is that (in my opinion) you should NEVER find yourself vendor-locked-in for any data, in particular for secrets. However, you will always need tools for managing them. My tool is designed to be usable and avoid vendor-lock-in, meaning that even if you lose access to the tool you are not locked out of your tools!

I have probably phrased it better in the linked blog post, I invite you to read it if you're still curious. I'm here for any other question!

rirze 2 hours ago
Sincerely, I don't get the motivation for this. It feels like `age` is pulling most of the work I care about. `age` is the only tool here encrypting and decrypting secrets, are you managing the orchestration of secrets with your tool?
Fran314 2 hours ago
age is pulling all the encryption work. What the tool does is the import/export managing.

First of all, it creates snapshots for each export and it ensures to pull the latest snapshot during import. Also, it manages the hashes of the secrets (created on first export) and of the export, which ensure that the files are not corrupted, so that when I import I can be sure that no bitrot happened and the secrets that get copied on my machine are bit-identical to the ones I exported.

That being said, it's true that this is not a lot of work to be pulling. As I wrote in the blog post, this Rust tool could have been a Bash script. However I opted for not-bash because I don't feel particularly comfortable with bash and I like to have types. If I knew Go, it would have been a solid option

axus 2 hours ago
I confused your username with jeanp413
Fran314 2 hours ago
By the looks of it, someone way more skilled than me!
jchip303 2 hours ago
[dead]