Conceal is a command-line utility that eases the interaction between developer and OSX Keychain Access. It is the open-source companion to Summon as every secret added using this tool into Keychain is added using Summon-compliant formatting. If you don't plan on using Summon, it's still a great Keychain management tool.
- Requirements
- Installation
- Usage
- keychain Package
- clipboard Package
- Concept
- Maintainer
- Contributions
- License
- MacOS
brew tap infamousjoeg/tap
brew install conceal- Download the latest release available at GitHub Releases.
- Move the
concealexecutable file to a directory in yourPATH. (I use~/bin.) - In Terminal, run the following command to make sure it's in your
PATH:
$ conceal
$ conceal set dockerhub/token
$ echo "my-secret-value" | conceal set dockerhub/token
To add a secret to Keychain, call conceal and use the set command to pass the account name to add. You will be immediately prompted to provide a secret value in a secure manner or you can provide it via STDIN.
$ conceal update dockerhub/token
$ echo "my-new-secret-value" | conceal update dockerhub/token
To update a secret in Keychain, call conceal and use the update command to pass the account name to update. You will be immediately prompted to provide a secret value in a secure manner or you can provide it via STDIN.
$ conceal get dockerhub/token
To retrieve a secret from Keychain, call conceal and use the get command to pass the account name to retrieve from. The secret value will be added to your clipboard for 15 seconds.
$ conceal list
To list all secrets associated with Summon in Keychain, call conceal and use the list command to list all accounts present.
To filter the list further, pipe to grep like this $ conceal list | grep dockerhub/.
$ conceal unset dockerhub/token
To remove a secret that was added for Summon, call conceal and use the unset command to pass the account name to remove.
$ conceal summon install
To install Conceal as a Summon provider, call conceal with the summon install command. This will install conceal as an available provider for Summon under the name conceal_summon. For more information about Summon's providers, check out the documentation at cyberark.github.io/summon.
Note: This command is not recommended for use in scripts as it will print the secret to the terminal. It is only available for the Summon provider integration.
$ conceal show dockerhub/token
To display a secret from Keychain to STDOUT, call conceal and use the show command to pass the account name to display. This is useful for debugging and testing purposes. It is used by Summon to retrieve the secret value from the conceal_summon provider.
$ conceal help
To display the help message, just call conceal help.
$ conceal help [COMMAND]
To display the help message for a specific command, just call conceal help and provide the command name, such as set or get.
$ conceal version
To display the current version, call conceal with the version command.
import "github.com/infamousjoeg/conceal/pkg/conceal/keychain"func AddSecret(secretID string, secret []byte)AddSecret is a non-return function that adds the secret and secret value to keychain.
func DeleteSecret(secretID string)DeleteSecret is a non-return function that removes the secret from keychain.
func ListSecrets() []stringListSecrets is a string array function that returns all secrets in keychain with
the label summon.
func SecretExists(secretID string) boolSecretExists is a boolean function to verify a secret is present in keychain.
func UpdateSecret(secretID string, secret []byte)UpdateSecret is a non-return function that updates the secret value in keychain.
func GetSecret(secretID string, delivery string)GetSecret is a non-return function that retrieves the secret value from keychain and delivers it in the declared method. If delivery is set to clipboard, the secret value is copied to the clipboard. If a signal interrupt is detected, the content is immediately cleared. If delivery is set to stdout, the secret value is printed to the terminal.
import "github.com/infamousjoeg/conceal/pkg/conceal/clipboard"func Secret(secret string)Secret is a non-return function that adds content to the host clipboard that persists for 15 seconds. If a signal interrupt is detected, the content is immediately cleared.
func SetupCloseHandler()SetupCloseHandler creates a 'listener' on a new goroutine which will notify the program if it receives an interrupt from the OS. We then handle this by calling our clean up procedure and exiting the program.
In modern software development, securely managing secrets (such as API keys, passwords, and other sensitive data) is crucial. Conceal, developed by Joe Garcia, is a powerful utility designed to simplify and secure the management of these secrets. Here’s why you should consider using Conceal:
"Why not use what Steve and Bill gave us?"
- Conceal allows developers to use built-in tools and environments (like macOS Keychain) to manage secrets without needing to commit any code or set up a dedicated secrets manager initially. This means you can start development immediately without additional setup overhead.
- Conceal works seamlessly with Summon, a tool that injects secrets as environment variables into your applications. This allows for easy transitioning between different environments without changing the code. As you move from development to staging to production, the secrets provider can change without any code modification, enhancing flexibility and security.
"You're establishing secure coding habits by starting development using environment variables out of the gate."
- By using Conceal and Summon together, you adopt best practices from the start. Managing secrets via environment variables is a secure method that avoids hardcoding sensitive information in your application code, thus preventing technical debt and security vulnerabilities.
"...instead of creating technical debt that then becomes a problem later on down the line when a secrets manager needs to be baked into it."
- Starting with good practices means you won't need to refactor your code later to integrate a secrets manager. Conceal helps avoid this costly and time-consuming process by providing a secure solution from the beginning.
"Free or overpay, which do you choose?"
- Conceal leverages free, existing tools, avoiding the need for expensive enterprise secrets management solutions. This makes it a cost-effective choice, especially for startups and small teams.
- Local Development-Friendly: Ideal for local development environments where access to a full secrets management system might not be available.
- Ease of Use: Simple commands to set and retrieve secrets, integrated smoothly with the development workflow.
- Security: Ensures that secrets are not hardcoded, reducing the risk of accidental exposure.
- Install Conceal: Follow the instructions in the Conceal GitHub repository to install the utility.
- Set Secrets: Use the
conceal setcommand to securely store your secrets. - Retrieve Secrets: Integrate with Summon to retrieve secrets as environment variables in your application.
Conceal is a powerful and useful utility for any developer looking to securely manage secrets without incurring additional setup costs or creating technical debt. By integrating with existing tools and promoting secure practices from the start, Conceal ensures your development process remains efficient, secure, and cost-effective. Choose Conceal to simplify your secret management and focus on building great software.
For more information and to get started, visit the Conceal GitHub page.
Pull Requests are currently being accepted. Please read and follow the guidelines laid out in CONTRIBUTING.md.