Age based repository file encryption gitops tool
Easy and simple file repository encryption tool based on Age.
Have you ever thought "this should be simple" while you were using tools like Blackbox , Git-crypt or Sops? This is what agebox is. A tool on top of Age's security system that encrypts/decrypts your repository files, focused on simplicity and gitops.
git clone [email protected]:slok/agebox.git && cd ./agebox && make build && ls -la ./bin
Initialize agebox tracking file.
agebox init
Encrypt (and track) multiple files.
agebox encrypt ./app1/secret1.yaml ./app2/secret1.yaml
Encrypt (and track) a directory in dry-run to see what would be encrypted before doing it.
agebox encrypt ./secrets --dry-run
Encrypt (and track) a directory and only (filter regex used) the secret
named yaml files.
agebox encrypt ./manifests --filter ".*secret(\.yaml|\.yml)$"
Decrypt a subset of tracked secrets and a file.
agebox decrypt ./secrets/team-1 ./secrets/secret1.yaml
Decrypt only (filter regex used) team-a
tracked files.
agebox decrypt ./secrets --filter ".*team-a.*"
Force decryption of all tracked files.
agebox decrypt --all --force
Validate tracked secrets are encrypted and not decrypted (without decrypt validation).
agebox validate --no-decrypt
Cat multiple encrypted files and print them to stdout.
agebox cat ./secrets/secret1.yaml.agebox ./secrets/secret2.json.agebox --no-log
Reencrypt all files.
agebox reencrypt
Untrack multiple files.
agebox untrack ./secrets/secret1.yaml ./secrets/secret2.yaml
Untrack and delete file.
agebox untrack ./secrets/secret1.yaml --delete
When you initialize agebox on a repository it will create a file (.ageboxreg.yml
) that will track all the encrypted
files in the repository.
From now on if you encrypt files with agebox from the root of the repository it will:
./keys
or --public-keys
as recipients.As a regular flow of agebox usage examples, you can:
--all
).--all
) that are decrypted in the repository.Check the Getting started section for specific commands.
Agebox supports the same asymmetric keys Age does:
Agebox knows how to discover keys in directories (recursively).
The public keys are the recipients of the encrypted files. With their respective private keys, users will be able to decrypt the files.
Public keys should be on a directory relative to the root of the repository (by default ./keys
) at the moment of invoking encryption commands, this simplifies the usage of keys by not requiring pgp keys or agents.
Agebox will encrypt with the loaded public keys, this means that when we add or remove any public key we should reencrypt
the tracked files.
In case you don't want to have all the public keys in all the repositories that are managed by agebox, you could centralize these keys in another repository andgetting them before invoking agebox. Some usage examples:
git pull --recurse-submodules
.git clone/pull
.You can configure this with --public-keys
flag or AGEBOX_PUBLIC_KEYS
env var.
You can have multiple public keys in a file (one per line), like Age recipients file.
By default Agebox will try loading all the valid private keys from HOME/.ssh
, however you can configure this with --private-keys
flag or AGEBOX_PRIVATE_KEYS
env var to point to specific directory with the keys (or a path to a single key).
Thanks to @FiloSottile, @Benjojo12 and all the other contributors of Age.