Trousseau is an encrypted key-value store designed to be a simple, safe and trustworthy place for your data.
It stores data in a single encrypted file. It supports both asymetric encryption using OpenPGP, and symmetric encryption using AES256. It can be easily synced across devices using Dropbox, OneDrive... It can be exported and imported to/from multiple remote storages using integrated S3, ssh, and gist support. If used with OpenPGP encryption, it is able to restrict access to the data store to a set of recipients.
Create a trousseau data store, add some key-value pairs to it, push it to S3 and re-import it from another device or simply sync it over Dropbox. Safe data sharing had never been that simple!
Secrets are made to be shared, just not with anyone. Whether you're an admin, a paranoid guy living in a bunker, or a random user who seeks a simple way to store it's critical data in secured manner. Trousseau can do something for you.
Storing, transporting, and sharing sensitive data can be hard, and much more difficult when it comes to automate it.
Trousseau was created with private keys and certificates (such as private keys) sharing across a cluster in mind. However it has proved being useful to anyone who need to store and eventually share a passwords store, bank accounts details or even more sensitive data.
Trousseau can be useful to you when it comes to:
A binary debian repository provides trousseau packages for i386, x86_64 and arm architectures, so you can easily install it. Just add the repository to your sources.list:
$ echo "deb https://dl.bintray.com/oleiade/deb /" | sudo tee /etc/apt/sources.list.d/trousseau.list
And you're ready to go:
$ sudo apt-get update && sudo apt-get install trousseau
If you're using homebrew just proceed to installation using the provided formula:
brew install oleiade/tap/trousseau
Get the latest darwin release zip archive from the repository. Unzip it, and place the trousseau executable wherever it suits you.
$ unizp trousseau_X.Y.Z_darwin_amd64.zip
$ cp trousseau_X.Y.Z_darwin_amd64/trousseau /usr/local/binary
$PATH
: bzr, svn, hg, git
go build github.com/oleiade/trousseau/cmd/trousseau
trousseau
binary is now in your current working directory folderEvery decryption operations will require your gpg primary key passphrase. As of today, trousseau is able to handle your passphrase through multiple ways:
--passphrase
global optionSupported system keyring manager are osx keychain access and linux gnome secret-service and gnome-keychain (more might be added in the future on demand).
To use the keyring manager you will need to set up the TROUSSEAU_KEYRING_SERVICE
environment variable to the name of they keyring manager key holding the trousseau main gpg key passphrase.
$ export TROUSSEAU_KEYRING_SERVICE=my_keyring_key
$ trousseau get abc
Another authentication method supported is gpg-agent. In order to use it make sure you've started the gpg-agent daemon and exported the GPG_AGENT_INFO
variable, trousseau will do the rest.
$ export GPG_AGENT_INFO=path_to_the_gpg_agent_info_file
$ export TROUSSEAU_MASTER_GPG_ID=myid@mymail.com
$ trousseau get abc
You can pass your primary key passphrase as TROUSSEAU_PASSPHRASE
environment variable:
$ export TROUSSEAU_PASSPHRASE=mysupperdupperpassphrase
$ trousseau get abc
You can have trousseau asking for your passphrase using the command line global option:
$ trousseau --ask-passhphrase get abc
Passphrase:
123
Trousseau behavior can be controlled through the system environment:
$HOME/.trousseau
First step with trousseau is to create a data store.
To do so, you will need to decide the kind of encryption you wish to use:
Then, you can proceed and create a data store with the create
command.
As a default:
$HOME/.trousseau
. However the global option store
will allow you to select the place on the filesystem where trousseau should create/open the data store.encryption-type
and encryption-algorithm
options will allow to select explicitly the encryption mode of your choice.# create a trousseau for two gpg recipients
# both key ids and key email are supported.
$ trousseau create 4B7D890,foo@bar.com
trousseau created at $HOME/.trousseau
# Or create a symmetrically encrypted data store
# with a passphrase
$ trousseau create --encryption-type symmetric
Passphrase:
trousseau created at $HOME/.trousseau
Trousseau data store consists in a single encrypted file residing in your $HOME
directory. Check by yourself.
$ cat ~/.trousseau
{
"crypto_type":1,
"crypto_algorithm":0,
"_data":"012ue091ido19d81j2d01029dj1029d1029u401294i ... 1028019k0912djm0129d12"
}
If you've just updated trousseau to a version marked as implying backward incompatibilities, the upgrade
command is here to help
$ trousseau upgrade
Upgrading trousseau data store to version M: success
Upgrading trousseau data store to version N: success
# This is it, your legacy data store has now been upgraded to be compatible with
# your current version of trousseau
Once your trousseau has been created, you're now able to read, write, list, delete its data. Here's how the fun part goes.
# Right now the store is empty
$ trousseau show
# Let's add some data into it
$ trousseau set abc 123
$ trousseau set "easy as" "do re mi"
# set action supports a --file flag to use the content
# of a file as value
$ trousseau set myuser.ssh.public_key --file ~/.ssh/id_rsa.pub
# Now let's make sure data has been added
$ trousseau keys
abc
easy as
myuser.ssh.public_key
# Let's check values too
$ trousseau get abc
123
# What about renaming abc key, just for fun?
$ trousseau rename abc 'my friend jackson'
$ trousseau keys
my friend jackson
easy as
myuser.ssh.public_key
$ trousseau show
my friend jackson: 123
easy as: do re mi
myuser.ssh.public_key: ssh-rsa 1289eu102ij30192u3e0912e
...
# Whenever you want to export a key value to a file, just use
# the get command --file option
$ trousseau get myuser.ssh.public_key --file /home/myuser/id_rsa.pub
# Now if you don't need a key anymore, just drop it.
$ trousseau del 'my friend jackson' # Now the song lacks something doesn't it?
--file
option path.--file
option.Trousseau was built with data remote storage in mind. Therefore it provides push and pull actions to export and import the trousseau data store to remote destinations. As of today S3, SSH and gist storages are available (more are to come).
In order to make your life easier trousseau allows you to select your export and import sources using a DSN.
{protocol}://{identifier}:{secret}@{host}:{port}/{path}
push
or pull
action.# Considering a non empty trousseau data store
$ trousseau show
abc: 123
easy as: do re mi
# And then you're ready to push
$ trousseau push s3://aws_access_key:aws_secret_key@bucket:region/remote_file_path
# Now that data store is pushed to S3, let's remove the
# local data store and pull it once again to ensure it worked
$ rm ~/.trousseau
$ trousseau show
Trousseau unconfigured: no data store
$ trousseau pull s3://aws_access_key:aws_secret_key@bucket:region/remote_file_path
$ trousseau show
abc: 123
easy as: do re mi
# We start with a non-empty trousseau data store
$ trousseau show
abc: 123
easy as: do re mi
# To push it using scp we need to provide it a couple of
# basic options.
# Nota: In order for your remote password not to appear
# in your shell history, we strongly advise you to use
# the push/pull --ask-password option instead of supplying
# the password through the dsn.
$ trousseau push --ask-password scp://user:@host:port/remote_file_path
Password:
Trousseau data store succesfully pushed to ssh remote storage
# Now that data store has been pushed to the remote storage
# using scp, let's remove the local data store and pull it
# once again to ensure it worked
$ rm ~/.trousseau
$ trousseau show
Trousseau unconfigured: no data store
$ trousseau pull --ask-password scp://user:@host:port/remote_file_path
Password:
Trousseau data store succesfully pulled from ssh remote storage
$ trousseau show
abc: 123
easy as: do re mi
To use the gist remote storage support, you will need to generate a Github personal access token. Once you've generated one, use it as the dsn password field as in the following example:
# We start with a non-empty trousseau data store
$ trousseau show
abc: 123
easy as: do re mi
# Nota:
# * Gist remote storage doesn't use the host and port dsn fields,
# but you still need to provide their ':' separator
$ trousseau push gist://user:mysuppedupertoken@:/gist_name
Password:
Trousseau data store succesfully pushed to gist remote storage
# Now that data store has been pushed to gist
# let's remove the local data store and pull it
# once again to ensure it worked
$ rm ~/.trousseau
$ trousseau show
Trousseau unconfigured: no data store
$ trousseau pull gist://user:mysupperduppertoken@:/gist_name
Password:
Trousseau data store succesfully pulled from gist
$ trousseau show
abc: 123
easy as: do re mi
FILENAME
on the local fs.$ trousseau export testtrousseau.asc # Fine we've exported our current data store into a single file
$ mail -f testtrousseau.asc cousin@machin.com # Let's pretend we've sent it by mail
# Now cousin machin is now able to import the data store
$ trousseau import testtrousseau.asc
$ trousseau show
cousin_machin:isagreatbuddy
adams_family:rests in peace, for sure
Trousseau keeps track and exposes all sort of metadata about your store that you can access through the meta
command.
$ trousseau meta
CreatedAt: 2013-08-12 08:00:20.457477714 +0200 CEST
LastModifiedAt: 2013-08-12 08:00:20.457586991 +0200 CEST
Recipients: [4B7D890,28EA78B]
TrousseauVersion: 0.1.0c
Okay, so you've created a trousseau data store with two recipients allowed to manipulate it. Now suppose you'd like to add another recipient to be able to open and update the trousseau store; or to remove one.
add-recipient
and remove-recipient
commands can help you with that.
$ trousseau add-recipient 75FE3AB
$ trousseau add-recipient 869FA4A
$ trousseau meta
CreatedAt: 2013-08-12 08:00:20.457477714 +0200 CEST
LastModifiedAt: 2013-08-12 08:00:20.457586991 +0200 CEST
Recipients: [4B7D890, 75FE3AB, 869FA4A]
TrousseauVersion: 0.1.0c
$ trousseau remove-recipient 75FE3AB
$ trousseau meta
CreatedAt: 2013-08-12 08:00:20.457477714 +0200 CEST
LastModifiedAt: 2013-08-12 08:00:20.457586991 +0200 CEST
Recipients: [4B7D890, 869FA4A]
TrousseauVersion: 0.1.0c
Running the unit tests for the project is done with the following command:
go test github.com/oleiade/trousseau/...
For detailed contribution instructions, see the the CONTRIBUTING document
However here is a quick summary for all of you in a hurry:
Trousseau is open source software under the MIT license. Any hackers are welcome to supply ideas, features requests, patches, pull requests and so on. Let's make Trousseau awesome!
See Contribute section.
See CHANGELOG