Announcing yage, a tool for managing secrets in yaml files using age encryption

[glehmann]

yage is using age encryption to encrypt the values
in a YAML file while keeping the keys unchanged.

A yaml file like this one:

backend:
  url: https://example.com
  username: gaspard
  password: api_s3cr3t_k3y

is encrypted by yage to:

backend:
  url: yage[YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1KzZiNVVvTThaQ0dSbVZBMElRUEpZRlVxb1VaamU3SGtWRWxseFBHMkVNClBsUGJMWFJ0MnA0czA0MEE0VnRjY3Q3VnE4NElpUHQ2aTNKUlVMOUJnbEUKLT4gZGVVYFRQcVwtZ3JlYXNlIHR+OSVVZyMhCituclJ0ZTZJU1grSmpxaTZvb2hMYlBvMnpIbGFja0ltRm9BdE9sTVJ5RG14RkhNaXNsc0xUbUViT1lyRVh6dWYKdHRsVU10SHJ1YytaY2hhdWdjQ0lJVnFkczJFcHBMMXl3QTNEQUc1SW9YM0hscGZVbEdPdWZWTQotLS0gcTVIZzZrdnVJNGNoNm51UEE1alJHVmJsQnRMdStuVXU0Q1pJSzFzVlU1QQqH64hS0UV4JI6CtYHpSCEslxLqi3764zaxF/VJy67gQOBrj2TV1z6NwJaBmlUPBQB2zROq|r:age15eesfkh778yljxzgwdq5vaqmmchg5py480vplsymzzqf0dwe5gnqrexdq6]
  username: yage[YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVU2tuOWFpV2NDT05DSC9FbHNadzVVTTJmSFQwekRjRjZiOERDVTZ0aGdnCnhKTGpQcGY1SUw0bFd2cFhudC9yY1I0VTJxWklBYUkvYlhzNHhUeCtIVmsKLT4gTGJ+LWdyZWFzZSAhClJlTU5TZ3NldGRaRzRGQThOZmMrdkFnS0NzUnBpMmFpRTM4d0hGQXEKLS0tIGQvSXIxcXpDYk9yTU9ERDlEMHV1d0VmTGovWU9SVkJ5TkswYS9rMmdGbHMK3GehcWJL1GUKFGLJXQFGUQLhs56mgHRYpBIsFgYpyW818dG27bz1jQ==|r:age15eesfkh778yljxzgwdq5vaqmmchg5py480vplsymzzqf0dwe5gnqrexdq6]
  password: yage[YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyRVUyTHpmQnZuTlc5MGJhODFuSE5WMmdzalNid0ExamliNDREbWlJUXdvClFhS3JGSGV2cjlnL0dWUnNwSDNvWGVHUDVDendkNzFWWXJCcTNDTVJNLzgKLT4geW0tZ3JlYXNlIF8zJ3MpXksKeXRwMW9aeitydwotLS0gWVNjbnZsUmNRWTdtM0pjVjNKQjBDZ1k2cVNhcWkwMnAxREwwMXptREhLZwrpCkrMFiq/XWfAyFRrLuLkkEPhnZ9Kt68pg5ENgDTV9+3iRcy6XKYdkqnEBRidMg==|r:age15eesfkh778yljxzgwdq5vaqmmchg5py480vplsymzzqf0dwe5gnqrexdq6]

It's an alternative to SOPS.

yage is born out of the frustration of not being able to use SOPS for a simple use case: giving the
responsability to the dev team to encrypt the sensible values, while keeping the private key required
to decrypt those values secret.

With yage, a dev team can add some new secrets in a deployment file, use a simple yage encrypt secrets-prod.yaml
to encrypt the new values, and commit them in the git repository. This operation does not require any
access to the private key, which can be kept secret by the ops team.

To help not committing a secret in git, a pre-commit hook is available to automatically
encrypt the file before committing it, or check if the secrets are encrypted.

It is written in Rust and uses the great age library. It is distributed
as a single binary, and is available on Linux, MacOS and Windows. It is also available as a docker images.

yage is open source and available on github. It is licensed under the MIT license.

I would really appreciate some feedback — on the tool itself, on its usability, on its code quality, on its missing
features, on its documentation, …

Contributions would also be very welcome!

[cipriancraciun]

I would really appreciate some feedback — on the tool itself, on its usability, on its code quality, on its missing features, on its documentation, ...

I would like to ask a few questions on the topic of your tool, however I think those questions are out-of-scope of the age tool (as it's mainly used behind the scenes as a cryptographic building-block), and thus I wanted to ask you to enable the discussions feature on your repository, so we can discuss there.

[glehmann]

I've activated the discussions at https://github.com/glehmann/yage/discussions