Skip to content
/ envchain Public

Environment variables meet macOS Keychain and gnome-keyring <3

License

MIT license
1.2k stars 32 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sorah/envchain

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

67 Commits
.github
.github
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
envchain.c
envchain.c
 
 
envchain.h
envchain.h
 
 
envchain_linux.c
envchain_linux.c
 
 
envchain_osx.c
envchain_osx.c
 
 

Repository files navigation

envchain - set environment variables with macOS keychain or D-Bus secret service

What?

Secrets for common computing environments, such as AWS_SECRET_ACCESS_KEY, are set with environment variables.

A common practice is to set them in shell's intialization files such as .bashrc and .zshrc.

Putting these secrets on disk in this way is a grave risk.

envchain allows you to secure credential environment variables to your secure vault, and set to environment variables only when you called explicitly.

Currently, envchain supports macOS keychain and D-Bus secret service (gnome-keyring) as a vault.

Don't give any credentials implicitly!

Requirement (macOS)

  • macOS
    • Confirmed to work on OS X 10.11 (El Capitan), macOS 10.12 (Sierra).
    • OS X 10.7 (Lion) or later is required, but not confirmed

Requirement (Linux)

  • readline
  • libsecret
  • D-Bus Secret Service
    • GNOME keyring
    • KeePassXC

Installation

From Source

$ make

$ sudo make install
(or)
$ cp ./envchain ~/bin/

Homebrew (OS X)

brew install envchain

Usage

Saving variables

Environment variables are set within a specified namespace. You can set variables in a single command:

envchain --set NAMESPACE ENV [ENV ..]

You will be prompted to enter the values for each variable. For example, we can set two variables... AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY here, within a namespace called aws:

$ envchain --set aws AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
aws.AWS_ACCESS_KEY_ID: my-access-key
aws.AWS_SECRET_ACCESS_KEY: secret

Here we define a single new variable within a different namespace:

$ envchain --set hubot HUBOT_HIPCHAT_PASSWORD
hubot.HUBOT_HIPCHAT_PASSWORD: xxxx

These will all appear as application passwords with envchain-NAMESPACE in the data store (Keychain in macOS, gnome-keyring in common Linux distros).

Execute commands with defined variables

$ env | grep AWS_ || echo "No AWS_ env vars"
No AWS_ env vars
$ envchain aws env | grep AWS_
AWS_ACCESS_KEY_ID=my-access-key
AWS_SECRET_ACCESS_KEY=secret
$ envchain aws s3cmd blah blah blah
⋮

$ envchain hubot env | grep AWS_ || echo "No AWS_ env vars for hubot"
No AWS_ env vars for hubot
$ envchain hubot env | grep HUBOT_
HUBOT_HIPCHAT_PASSWORD: xxxx

You may specify multiple namespaces at once, with separating by commas:

$ envchain aws,hubot env | grep 'AWS_\|HUBOT_'
AWS_ACCESS_KEY_ID=my-access-key
AWS_SECRET_ACCESS_KEY=secret
HUBOT_HIPCHAT_PASSWORD: xxxx

More options

--list

List namespaces that have been created

$ envchain --list
aws
hubot

--noecho

Do not echo user input

$ envchain --set --noecho foo BAR
foo.BAR (noecho):

--require-passphrase

Always ask for keychain passphrase

$ envchain --set --require-passphrase name

--no-require-passphrase

Do not ask for keychain passphrase

$ envchain --set --no-require-passphrase name

Sponsor

Buy Me a Coffee at ko-fi.com

Screenshot

OS X Keychain

Seahorse (gnome-keyring)

Author

License

MIT License

About

Environment variables meet macOS Keychain and gnome-keyring <3

Topics

gnome-keyring security credentials secret keychain

Resources

Readme

License

MIT license
Activity

Stars

1.2k stars

Watchers

20 watching

Forks

32 forks
Report repository

Releases 4

v1.1.0 Latest
Apr 23, 2024
+ 3 releases

Sponsor this project

  •  
Learn more about GitHub Sponsors

Packages

No packages published

Contributors 9

Languages