├── tox.ini ├── .version ├── yacs ├── __init__.py ├── cli.py ├── util.py ├── view.py ├── reset.py ├── get.py ├── put.py └── inititialize.py ├── LICENSE ├── setup.py ├── README.md └── .gitignore /tox.ini: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.version: -------------------------------------------------------------------------------- 1 | 1.0.0 -------------------------------------------------------------------------------- /yacs/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /yacs/cli.py: -------------------------------------------------------------------------------- 1 | import click 2 | from yacs import inititialize, reset, put, get, view 3 | @click.group() 4 | @click.version_option() 5 | def cli() -> None: 6 | """A cli to provision and manage local developer environments.""" 7 | 8 | 9 | 10 | cli.add_command(inititialize.initialize) 11 | cli.add_command(reset.reset) 12 | cli.add_command(put.put) 13 | cli.add_command(get.get) 14 | cli.add_command(view.view) -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Raiyan Yahya 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | from os.path import abspath, dirname, join, isfile 2 | from os import environ 3 | from setuptools import find_packages, setup 4 | import sys 5 | version_f = ".version" 6 | this_dir = abspath(dirname(__file__)) 7 | with open(join(this_dir, "README.md"), encoding="utf-8") as file: 8 | long_description = file.read() 9 | 10 | 11 | def get_version(): 12 | if isfile(version_f): 13 | with open(version_f) as version_file: 14 | version = version_file.read().strip() 15 | return version 16 | elif ( 17 | "build" in sys.argv 18 | or "egg_info" in sys.argv 19 | or "sdist" in sys.argv 20 | or "bdist_wheel" in sys.argv 21 | ): 22 | version = environ.get("VERSION", "0.0") # Avoid PEP 440 warning 23 | if "-SNAPSHOT" in version: 24 | version = version.replace("-SNAPSHOT", ".0") 25 | with open(version_f, "w+") as version_file: 26 | version_file.write(version) 27 | return version 28 | 29 | 30 | setup( 31 | name="yacs-cli", 32 | python_requires=">3.7", 33 | options={"bdist_wheel": {"universal": "1"}}, 34 | version=get_version(), 35 | description="Run a local credential store.", 36 | long_description=long_description, 37 | long_description_content_type='text/markdown', 38 | url="https://github.com/raiyanyahya/yacs", 39 | author="Raiyan Yahya", 40 | license="MIT", 41 | author_email="raiyanyahyadeveloper@gmail.com", 42 | keywords=["cli","developer tools","productivity", "tools", "secretsmanager"], 43 | packages=find_packages(), 44 | install_requires=["click", "rich", "cryptography"], 45 | entry_points={"console_scripts": ["yacs=yacs.cli:cli"]}, 46 | ) -------------------------------------------------------------------------------- /yacs/util.py: -------------------------------------------------------------------------------- 1 | from pathlib import Path 2 | from os import urandom 3 | import base64 4 | 5 | from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC 6 | from cryptography.hazmat.primitives import hashes 7 | from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes 8 | from cryptography.hazmat.backends import default_backend 9 | 10 | def derive_key(master_password, salt): 11 | kdf = PBKDF2HMAC( 12 | algorithm=hashes.SHA256(), 13 | length=32, 14 | salt=salt, 15 | iterations=100000, 16 | backend=default_backend() 17 | ) 18 | key = kdf.derive(master_password.encode()) 19 | return key 20 | 21 | def decrypt_message(key, encrypted_message): 22 | encrypted_message_bytes = base64.urlsafe_b64decode(encrypted_message.encode('utf-8')) 23 | iv = encrypted_message_bytes[:16] 24 | cipher = Cipher(algorithms.AES(key), modes.CFB(iv), backend=default_backend()) 25 | decryptor = cipher.decryptor() 26 | decrypted_message = decryptor.update(encrypted_message_bytes[16:]) + decryptor.finalize() 27 | return decrypted_message.decode('utf-8') 28 | 29 | def encrypt_message(key, message): 30 | iv = urandom(16) 31 | cipher = Cipher(algorithms.AES(key), modes.CFB(iv), backend=default_backend()) 32 | encryptor = cipher.encryptor() 33 | encrypted_message = encryptor.update(message.encode()) + encryptor.finalize() 34 | return base64.urlsafe_b64encode(iv + encrypted_message).decode('utf-8') 35 | 36 | def get_credstore_path(filename): 37 | home = Path.home() 38 | yacs_dir = home / ".yacs" 39 | yacs_dir.mkdir(exist_ok=True) # Create directory if it doesn't exist 40 | credstore_path = yacs_dir / filename 41 | return credstore_path -------------------------------------------------------------------------------- /yacs/view.py: -------------------------------------------------------------------------------- 1 | import json 2 | import base64 3 | import click 4 | from rich.console import Console 5 | from rich.table import Table 6 | from rich.prompt import Prompt 7 | from yacs.util import derive_key, decrypt_message, get_credstore_path 8 | 9 | console = Console() 10 | 11 | def view_secrets(filename): 12 | credstore_path = get_credstore_path(filename) 13 | 14 | if not credstore_path.exists(): 15 | console.print(f"[bold red]Error:[/bold red] {credstore_path} does not exist.", style="bold red") 16 | return 17 | 18 | password = Prompt.ask("Enter master password", password=True) 19 | 20 | with open(credstore_path, 'r') as file: 21 | stored_data = json.load(file) 22 | salt = base64.urlsafe_b64decode(stored_data["salt"].encode('utf-8')) 23 | encryption_key = derive_key(password, salt) 24 | try: 25 | decrypted_data = json.loads(decrypt_message(encryption_key, stored_data["data"])) 26 | except UnicodeDecodeError: 27 | console.print("[bold red]Password verification failed.Try again.[/bold red]") 28 | return 29 | except Exception: 30 | console.print("[bold red]Password verification failed.Try again.[/bold red]") 31 | return 32 | secrets = decrypted_data["secrets"] 33 | 34 | if secrets: 35 | for key, secret_info in secrets.items(): 36 | console.print(f"Key: {key} Description: {secret_info['description']}\n") 37 | else: 38 | console.print("[bold yellow]No secrets found.[/bold yellow]") 39 | 40 | 41 | @click.command("view") 42 | @click.option('--filename', default='credstore.json', help='The name of the credential store file.') 43 | def view(filename): 44 | """View all keys and their descriptions.""" 45 | view_secrets(filename) -------------------------------------------------------------------------------- /yacs/reset.py: -------------------------------------------------------------------------------- 1 | import click 2 | from os import remove 3 | from rich.console import Console 4 | from rich.prompt import Confirm, Prompt 5 | import base64 6 | import json 7 | from yacs.util import decrypt_message, derive_key, get_credstore_path 8 | 9 | console = Console() 10 | 11 | 12 | def reset_credstore(filename): 13 | credstore_path = get_credstore_path(filename) 14 | 15 | if not credstore_path.exists(): 16 | console.print(f"[bold red]Error:[/bold red] {credstore_path} does not exist.", style="bold red") 17 | return 18 | 19 | password = Prompt.ask("Enter master password to confirm reset", password=True) 20 | 21 | with open(credstore_path, 'r') as file: 22 | stored_data = json.load(file) 23 | salt = base64.urlsafe_b64decode(stored_data["salt"].encode('utf-8')) 24 | key = derive_key(password, salt) 25 | 26 | try: 27 | decrypt_message(key, stored_data["data"]) 28 | except UnicodeDecodeError: 29 | console.print("[bold red]Password verification failed.[/bold red]") 30 | return 31 | except Exception: 32 | console.print("[bold red]Password verification failed.[/bold red]") 33 | return 34 | 35 | confirm = Confirm.ask("Are you sure you want to delete the credential store and all its contents?", default=False) 36 | if confirm: 37 | remove(credstore_path) 38 | console.print(f"[bold green]Credential store {credstore_path} deleted successfully.[/bold green]") 39 | else: 40 | console.print("[bold yellow]Reset operation cancelled.[/bold yellow]") 41 | 42 | 43 | @click.command("reset") 44 | @click.option('--filename', default='credstore.json', help='The name of the credential store file.') 45 | def reset(filename): 46 | """Delete the credstore and start from scratch.""" 47 | reset_credstore(filename) -------------------------------------------------------------------------------- /yacs/get.py: -------------------------------------------------------------------------------- 1 | import click 2 | import json 3 | import base64 4 | from pathlib import Path 5 | from rich.console import Console 6 | from rich.prompt import Prompt 7 | from rich.panel import Panel 8 | from yacs.util import derive_key, decrypt_message, get_credstore_path 9 | 10 | console = Console() 11 | 12 | 13 | def get_secret(filename, key): 14 | credstore_path = get_credstore_path(filename) 15 | 16 | if not credstore_path.exists(): 17 | console.print(f"[bold red]Error:[/bold red] {credstore_path} does not exist.", style="bold red") 18 | return 19 | 20 | password = Prompt.ask("Enter master password", password=True) 21 | 22 | with open(credstore_path, 'r') as file: 23 | stored_data = json.load(file) 24 | salt = base64.urlsafe_b64decode(stored_data["salt"].encode('utf-8')) 25 | encryption_key = derive_key(password, salt) 26 | try: 27 | decrypted_data = json.loads(decrypt_message(encryption_key, stored_data["data"])) 28 | except UnicodeDecodeError: 29 | console.print("[bold red]Password verification failed.Try again.[/bold red]") 30 | return 31 | except Exception: 32 | console.print("[bold red]Password verification failed.Try again.[/bold red]") 33 | return 34 | secrets = decrypted_data["secrets"] 35 | 36 | if key in secrets: 37 | secret_info = secrets[key] 38 | if secret_info["type"] == "binary": 39 | secret = base64.urlsafe_b64decode(secret_info["secret"].encode()).decode('utf-8') 40 | else: 41 | secret = secret_info["secret"] 42 | 43 | console.print(f"{secret}", style="bold green") 44 | else: 45 | console.print(f"[bold red]Error:[/bold red] Key '{key}' not found.", style="bold red") 46 | 47 | 48 | @click.command("get") 49 | @click.option('--filename', default='credstore.json', help='The name of the credential store file.') 50 | @click.argument('key') 51 | def get(filename, key): 52 | """Get a secret from the credential store.""" 53 | get_secret(filename, key) -------------------------------------------------------------------------------- /yacs/put.py: -------------------------------------------------------------------------------- 1 | 2 | import click 3 | import json 4 | import base64 5 | from rich.console import Console 6 | from rich.prompt import Prompt 7 | from yacs.util import derive_key, encrypt_message, decrypt_message, get_credstore_path 8 | 9 | console = Console() 10 | 11 | 12 | def put_secret(filename, key, description, secret, secret_type): 13 | credstore_path = get_credstore_path(filename) 14 | 15 | if not credstore_path.exists(): 16 | console.print(f"[bold red]Error:[/bold red] {credstore_path} does not exist. Initialize a new store.", style="bold red") 17 | return 18 | 19 | password = Prompt.ask("Enter master password", password=True) 20 | 21 | with open(credstore_path, 'r') as file: 22 | stored_data = json.load(file) 23 | salt = base64.urlsafe_b64decode(stored_data["salt"].encode('utf-8')) 24 | encryption_key = derive_key(password, salt) 25 | 26 | try: 27 | decrypted_data = json.loads(decrypt_message(encryption_key, stored_data["data"])) 28 | except UnicodeDecodeError: 29 | console.print("[bold red]Password verification failed.Try again.[/bold red]") 30 | return 31 | except Exception: 32 | console.print("[bold red]Password verification failed.Try again.[/bold red]") 33 | return 34 | 35 | secrets = decrypted_data["secrets"] 36 | if secret_type == "binary": 37 | secret = base64.urlsafe_b64encode(secret.encode()).decode('utf-8') 38 | secrets[key] = {"description": description, "secret": secret, "type": secret_type} 39 | 40 | decrypted_data["secrets"] = secrets 41 | updated_encrypted_data = encrypt_message(encryption_key, json.dumps(decrypted_data)) 42 | 43 | with open(credstore_path, 'w') as file: 44 | json.dump({"data": updated_encrypted_data, "salt": stored_data["salt"]}, file) 45 | 46 | console.print(f"[bold green]Secret for key '{key}' added successfully.[/bold green]") 47 | 48 | 49 | @click.command("put") 50 | @click.option('--filename', default='credstore.json', help='The name of the credential store file.') 51 | @click.argument('key') 52 | @click.argument('description') 53 | @click.option('--type', 'secret_type', type=click.Choice(['string', 'binary']), default='string', help='The type of the secret: string or binary.') 54 | def put(filename, key, description, secret_type): 55 | """Add a secret to the credential store.""" 56 | secret = Prompt.ask("Enter the secret", password=True) 57 | put_secret(filename, key, description, secret, secret_type) -------------------------------------------------------------------------------- /yacs/inititialize.py: -------------------------------------------------------------------------------- 1 | import click 2 | import json 3 | from os import urandom, remove 4 | from rich.console import Console 5 | from rich.prompt import Prompt 6 | import base64 7 | 8 | from yacs.util import decrypt_message, derive_key, encrypt_message, get_credstore_path 9 | 10 | console = Console() 11 | 12 | 13 | 14 | 15 | 16 | def initialize_credstore(filename, password=None): 17 | console.print("Initializing Credential Store", style="bold green") 18 | 19 | credstore_path = get_credstore_path(filename) 20 | 21 | if credstore_path.exists(): 22 | console.print(f"[bold red]Error:[/bold red] {credstore_path} already exists.", style="bold red") 23 | return 24 | 25 | if not password: 26 | password = Prompt.ask("Enter master password", password=True) 27 | 28 | salt = urandom(16) 29 | key = derive_key(password, salt) 30 | credstore = { 31 | "secrets": {}, 32 | "salt": base64.urlsafe_b64encode(salt).decode('utf-8') 33 | } 34 | 35 | encrypted_data = encrypt_message(key, json.dumps(credstore)) 36 | 37 | with open(credstore_path, 'w') as file: 38 | json.dump({"data": encrypted_data, "salt": base64.urlsafe_b64encode(salt).decode('utf-8')}, file) 39 | 40 | console.print(f"[bold green]Credential store initialized successfully.[/bold green] File created: {credstore_path}") 41 | 42 | # Verification step 43 | verify_password = Prompt.ask("Re-enter master password to verify", password=True) 44 | verify_key = derive_key(verify_password, salt) 45 | with open(credstore_path, 'r') as file: 46 | stored_data = json.load(file) 47 | try: 48 | decrypted_data = decrypt_message(verify_key, stored_data["data"]) 49 | if decrypted_data: 50 | console.print("[bold green]Password verified successfully.[/bold green] Data decrypted correctly.") 51 | except UnicodeDecodeError: 52 | console.print("[bold red]Password verification failed.[/bold red]") 53 | remove(credstore_path) 54 | return 55 | except Exception: 56 | console.print("[bold red]Password verification failed.[/bold red]") 57 | remove(credstore_path) 58 | return 59 | 60 | 61 | 62 | 63 | @click.command("init") 64 | @click.option('--filename', default='credstore.json', help='The name of the credential store file.') 65 | @click.option('--password', help='The master password for the credential store.') 66 | def initialize(filename, password) -> None: 67 | """Initialize an empty local credstore.""" 68 | initialize_credstore(filename, password) 69 | 70 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # yacs 2 | Yet another credential store 🔐 3 | 4 | `yacs` is a command-line tool that allows you to securely store, manage, and retrieve secrets locally in an encrypted JSON file. This tool uses AES encryption with a master password to ensure your secrets are kept safe. 5 | 6 | ## Features 7 | 8 | Initialization: Set up a new credential store with a master password and a hint. 9 | Adding Secrets: Add secrets with descriptions, supporting both string and binary types. 10 | Retrieving Secrets: Retrieve secrets by their key. 11 | Viewing Keys and Descriptions: List all keys and their descriptions. 12 | Resetting: Delete the credential store and start from scratch. 13 | 14 | 15 | ## Encryption and Decryption 16 | 17 | `yacs` securely encrypts and decrypts your secrets using AES encryption with a key derived from your master password. When you initialize the credential store, a strong encryption key is generated from your master password using PBKDF2 (Password-Based Key Derivation Function 2) with a unique salt. This key, combined with a randomly generated Initialization Vector (IV), encrypts your secrets, ensuring each encryption is unique and secure. The encrypted data is then encoded in base64 format for safe storage. For added security, the tool prompts you to re-enter your master password after initialization to verify that the data can be successfully decrypted, ensuring the integrity and accessibility of your secrets. 18 | 19 | ## Security 20 | The Local Secrets Manager uses AES encryption with a key derived from your master password using PBKDF2 (Password-Based Key Derivation Function 2) with a unique salt. This ensures that your secrets are securely encrypted and can only be decrypted with the correct master password. 21 | 22 | 23 | ## Usage 24 | Install the command line interface via the cli. 25 | 26 | ``` 27 | pip install yacs-cli 28 | ``` 29 | 30 | After installing you should be able to see the below when you run `yacs`. 31 | ``` 32 | @raiyanyahya ➜ /workspaces/yacs (master) $ yacs 33 | Usage: yacs [OPTIONS] COMMAND [ARGS]... 34 | 35 | A cli to provision and manage local developer environments. 36 | 37 | Options: 38 | --version Show the version and exit. 39 | --help Show this message and exit. 40 | 41 | Commands: 42 | get Get a secret from the credential store. 43 | init Initialize an empty local credstore. 44 | put Add a secret to the credential store. 45 | reset Delete the credstore and start from scratch. 46 | view View all keys and their descriptions. 47 | ``` 48 | ### Initialize the store 49 | 50 | ``` 51 | yacs init 52 | ``` 53 | 54 | ### Add a secret 55 | 56 | ``` 57 | yacs put /mykeyname "description of the secret" 58 | ``` 59 | 60 | ### Get a secret 61 | 62 | ``` 63 | yacs get /mykeyname 64 | ``` 65 | ### View all key and descriptions 66 | 67 | ``` 68 | yacs view 69 | ``` 70 | 71 | ## License 72 | This project is licensed under the MIT License. See the LICENSE file for details. 73 | 74 | ## Contributing 75 | Contributions are welcome! Please open an issue or submit a pull request for any improvements or bug fixes. 76 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | share/python-wheels/ 24 | *.egg-info/ 25 | .installed.cfg 26 | *.egg 27 | MANIFEST 28 | 29 | # PyInstaller 30 | # Usually these files are written by a python script from a template 31 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 32 | *.manifest 33 | *.spec 34 | 35 | # Installer logs 36 | pip-log.txt 37 | pip-delete-this-directory.txt 38 | 39 | # Unit test / coverage reports 40 | htmlcov/ 41 | .tox/ 42 | .nox/ 43 | .coverage 44 | .coverage.* 45 | .cache 46 | nosetests.xml 47 | coverage.xml 48 | *.cover 49 | *.py,cover 50 | .hypothesis/ 51 | .pytest_cache/ 52 | cover/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | .pybuilder/ 76 | target/ 77 | 78 | # Jupyter Notebook 79 | .ipynb_checkpoints 80 | 81 | # IPython 82 | profile_default/ 83 | ipython_config.py 84 | 85 | # pyenv 86 | # For a library or package, you might want to ignore these files since the code is 87 | # intended to run in multiple environments; otherwise, check them in: 88 | # .python-version 89 | 90 | # pipenv 91 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 92 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 93 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 94 | # install all needed dependencies. 95 | #Pipfile.lock 96 | 97 | # poetry 98 | # Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. 99 | # This is especially recommended for binary packages to ensure reproducibility, and is more 100 | # commonly ignored for libraries. 101 | # https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control 102 | #poetry.lock 103 | 104 | # pdm 105 | # Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. 106 | #pdm.lock 107 | # pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it 108 | # in version control. 109 | # https://pdm.fming.dev/latest/usage/project/#working-with-version-control 110 | .pdm.toml 111 | .pdm-python 112 | .pdm-build/ 113 | 114 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm 115 | __pypackages__/ 116 | 117 | # Celery stuff 118 | celerybeat-schedule 119 | celerybeat.pid 120 | 121 | # SageMath parsed files 122 | *.sage.py 123 | 124 | # Environments 125 | .env 126 | .venv 127 | env/ 128 | venv/ 129 | ENV/ 130 | env.bak/ 131 | venv.bak/ 132 | 133 | # Spyder project settings 134 | .spyderproject 135 | .spyproject 136 | 137 | # Rope project settings 138 | .ropeproject 139 | 140 | # mkdocs documentation 141 | /site 142 | 143 | # mypy 144 | .mypy_cache/ 145 | .dmypy.json 146 | dmypy.json 147 | 148 | # Pyre type checker 149 | .pyre/ 150 | 151 | # pytype static type analyzer 152 | .pytype/ 153 | 154 | # Cython debug symbols 155 | cython_debug/ 156 | 157 | # PyCharm 158 | # JetBrains specific template is maintained in a separate JetBrains.gitignore that can 159 | # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore 160 | # and can be added to the global gitignore or merged into this file. For a more nuclear 161 | # option (not recommended) you can uncomment the following to ignore the entire idea folder. 162 | #.idea/ 163 | --------------------------------------------------------------------------------