🔐 syringe.sh

Self-hostable distributed database-per-user encrypted secrets management over SSH.

Caution

This project is a work in progress and not yet ready for general use.

Feel free to browse the code while it's being developed, but use at your own risk.

SSH (Secure Shell) is a cryptographic network protocol for secure communication between computers over an unsecured network that uses keys for secure authentication. If you've ever ssh'd into a remote machine or used CLI tools like git then you've used SSH.

syringe.sh uses SSH as the protocol for communication between the client (your machine) and the server (in the cloud).

Your public key is uploaded to the server. Your private key is then used to authenticate when you connect.

Secrets are encrypted locally using your key before being sent to the server and stored in a separate database tied to your SSH key.

Secrets can only be decrypted locally using your private key. Without your private key, nobody can decrypt and read your secrets. It's important you don't lose this, else your secrets will be lost forever.

┌────────────────────────────────┐
│ STDIN                          │
│ syringe secret set SKEY s3cr3t │
└─────┬──────────────────────────┘
      │
  ┌───▼────────────────┐                        ┌─────────────────┐
  │      ┌────────────┐│       Encrypted        │┌───────┐        │
  │ CLI  │ 🔐 Encrypt ├─────────────────────────►│ Store │ Server │
  │      └────────────┘│          SSH           │└───┬───┘        │
  └────────────────────┘                        └────│────────────┘
                                                ┌────▼────┐
                                                │ User DB │┐  K: SKEY
                                                └┬────────┘│  V: <encrypted>
                                                 └─────────┘

┌─────────────────────────┐
│ STDIN                   │
│ syringe secret get SKEY │
└─────┬───────────────────┘
      │
  ┌───▼────────────────┐                        ┌─────────────────┐
  │      ┌────────────┐│       Encrypted        │┌───────┐        │
  │ CLI  │ 🔓️ Decrypt │◄────────────────────────►│ Store │ Server │
  │      └────┬───────┘│          SSH           │└───────┘        │
  └───────────│────────┘                        └─────────────────┘
         ┌────▼─────┐
         │ STDOUT   │
         │ s3cr3t   │
         └──────────┘

Secrets are managed using 'projects' and 'environments'.

A quick demo

CLI

Installation

1. Download the package for your operating system and architecture from the releases page and extract to a directory in your path, e.g.

   $ wget -qO- https://github.com/nixpig/syringe.sh/releases/download/0.0.9/syringe.sh_syringe_0.0.9_linux_amd64.tar.gz | tar -xzvf - -C /usr/bin
   

2. Run the syringe command to get started.

Note

Without additional configuration, the syringe command will connect to the demo server at syringe.sh.

Feel free to have a play around there before you decide whether to spin up your own server.

Usage

Tip

Run syringe help to view documentation for all available commands and example usage.

Command	Flags	Description
syringe user register		Register user by identity
syringe project list		List projects
syringe project add PROJECT_NAME		Add project
syringe project remove PROJECT_NAME		Remove project
syringe project rename CURRENT_PROJECT_NAME NEW_PROJECT_NAME		Rename project
syringe environment list [flags]		List environments
syringe environment add [flags] ENVIRONMENT_NAME	--project	Add environment
syringe environment remove [flags] ENVIRONMENT_NAME	--project	Remove environment
syringe environment rename [flags] CURRENT_ENVIRONMENT_NAME NEW_ENVIRONMENT_NAME	--project	Rename environment
syringe secret list [flags]	--project --environment	List Secrets
syringe secret set [flags] SECRET_NAME SECRET_VALUE	--project --environment	Set secret
syringe secret get [flags] SECRET_NAME	--project --environment	Get secret
syringe secret remove [flags] SECRET_NAME	--project --environment	Remove secret
syringe secret inject [flags] -- SUBCOMMAND	--project --environment	Inject secrets into command
syringe help		Get help

Supported SSH key types

The following key types are supported for the syringe client.

• RSA

Specifying an identity

An identity is a path to an SSH key, for example ~/.ssh/id_rsa.

An identity must be specified to connect over SSH and to encrypt/decrypt secrets.

The identity to use is selected with the following order of precedence.

1. The --identity flag.
2. The identity property in settings file.
3. The running SSH agent, if available.

If you have an SSH agent running and the specified identity is not already loaded into the SSH agent, it will be added.

Note: when using the SSH agent directly (i.e. identity not specified as flag or in settings), the syringe.sh host must also be configured in SSH config.

Settings file

syringe.sh uses a settings file located in your user config directory, for example: /home/nixpig/.config/syringe/settings. If this doesn't exist, it will be created for you when you run any syringe command.

The settings file uses a key=value format, with each key/value pair on a new line.

Key	Type	Description
identity	string	Path to the SSH identity file to use. Equivalent to the -i flag to ssh or the IdentityFile parameter in SSH config. For example: /home/nixpig/.ssh/id_rsa.
hostname	string	The hostname of the server to connect to (default: syringe.sh).
port	number	The port the server is running on (default: 22).

Example settings file

identity=$HOME/.ssh/id_rsa
hostname=localhost
port=23234

Server

The recommended method of running the server is using Docker.

An example Dockerfile and docker-compose.yml are included in the repository.

Disclaimers

The public syringe.sh server is for demo purposes and may not be actively monitored or maintained. You absolutely should not store any secret or private data there.

You are responsible for your own security. It is up to you to evaluate the suitability of this software before using it and to take any necessary measures to secure your data to prevent unauthorized access.