/ˈskədl/
Icon made by Gregor Cresnar from www.flaticon.com
Scuttle aims to help you prevent security breaches by keeping secrets out of SCM in plain text. If you operate on Google Cloud, you don't have a lot of options available to you out of the gate for managing secrets.
Scuttle uses KMS keys, and IAM policy to enforce the level of trust you need at your trust boundaries. No plain text is stored in the repository, only cipher text that is decryptable with an IAM user that has the appropriate permissions.
SCTL is not End2End encryption, instead SCTL is more of an envelope, in which you store secrets until they are needed, and those secrets should only remain available in plain text while the operation that needs them is active.
It's less interesting than you think. I'm a fan of short cli commands, and sctl is short hand for "secrets-ctl", which when pronounced out loud sounds like "scuddle" (i'm a kube cuddle person) - ergo: "scuttle".
Homebrew:
Currently only x86 linux/mac are supported.
Install sctl
brew tap vapor-ware/formula
brew install vapor-ware/formula/sctl
Snap Packages:
We tried snaps, at this time its not a suitable release channel for sctl. We are open to attempting again in the future.
Pipeline Releases:
Currently only x86 arch, linux/mac/windows are published.
Download the latest stable release from the Releases listing for your platform/arch.
Untarball the release tar xvfz sctl_version_Linux_x86_64.tar.gz
Install the sctl binary somewhere in $PATH, eg:
sudo install sctl /usr/local/bin/sctl - this will move the binary to /usr/local/bin/sctl and chmod the binary 755
From Source:
You'll need at least go 1.11 (for go modules), a valid $GOPATH, and should have the GOPATH
bin path appended to $PATH
go get -u github.com/vapor-ware/sctl
Configuration consists of 2 steps:
You can configure sctl's authentication in one of two ways.
-
GOOGLE_APPLICATION_CREDENTIALS- via env. You set this environment variable to a filepath containing your credentials. Which can be any serviceAccount or authorized User for example. -
sctl credential addwill prompt you for a client configuration JSON. Ask your sctl administrator to provide this value if you're unsure what to enter. Once input, a link will be output to your terminal to visit. Open the link, log in to google, and Grant sctl's KMS scope authentication request. This will redirect you to a temporary http server which will finish your authentication.
Optionally, you may set an ENV var to provide the value for your key parameter. This is useful if you
work in a small department and use the same key consistently. Otherwise this step may be skipped and you can pass the --key flag to any command that supports it.
export SCTL_KEY=projects/my-project/locations/us/keyRings/my-keyring/cryptoKeys/my-key
To get help with any command and show usage details, sctl responds to the --help
flag, or simply run sctl without any arguments.
$ sctl add foo
Enter the data you want to encrypt. END with CTRL+D
bar
$ sctl list
FOO
$ cat .scuttle.json
[
{
"name": "FOO",
"cypher": "CiQArcZm2GES73oHpipKV3UHUyFOUkPvWADrV/H6IssOIfVuh9wSKwDujG3UyRBnTFqciamPsK0x8UIaq6kzsYlhPoA9YHCzh0pd3KOJFpkvQqI=",
"created": "2019-05-01T19:08:58.959335955-05:00"
"encoding": "base64"
}
]
# sctl run helmfile diff
Key decryption is simple:
$ sctl read foo
bar
As you deprecate/disable older KMS key revisions, it can be prudent to migrate a statefile of encrypted secrets. This can be a daunting task if undertaken one by one. To ease the migration between versions (and different keys). The re-key function was introduced in 1.0.0.
sctl re-key --newKey projects/new-project/locations/us/keyRings/new-keyring/cryptoKeys/new-key
Rotated entry for FOO
Rotated entry for BAR
Note: this operation attempts to be ATOMIC, and if an error occurs, the state may be incompletely translated. This can be confirmed if the sctl state file is versioned in VCS where you can easily diff the contents.
Note: the base64 data, and createdOn date's should be different if the entry was updated.
Several tools like this have come before; sctl offers a polite hat-tip to