This service exposes secrets and usernames from a KeePass database file through a webservice interface.
This way, secrets and usernames can be queried using curl.
For security reasons, data read from the KeePass database is encrypted in memory.
Since Version 1.3.0 the service also support the ssh-agen protocol.
This means you can securly store your SSH keys in KeePass and acknowledge access to them manually!
|
Note
|
This is my first project in Rust. There may be a lot of potential for improvements — of which I’m happy to hear! |
IMOORTANT: Since version 1.2.6 I am using various AI models for supporting me. I am reviewing the code but I believe that you have the right to know that.
Usage of secrets in direnv:
GITLAB_TOKEN="$(curl --silent "http://localhost:8123/access-keys/GitLab/GitLab-API-Token-Shell/secret")"The same way you may obtain the username of an entry:
GITLAB_TOKEN="$(curl --silent "http://localhost:8123/access-keys/GitLab/GitLab-API-Token-Shell/username")"You may want to start the service in background using the following command:
nohup seekret-service --keepass-path "/path/to/keepassfile.kdbx" > /dev/null 2>&1 &For further help please run:
seekret-service --helpSeekret Service can optionally act as an SSH agent, serving SSH private keys stored in your KeePass database.
SSH clients (e.g. ssh, git) can then authenticate using keys from KeePass without ever writing private keys to disk.
Signing requests are only allowed when the user has recently authorized access through the normal HTTP authorization flow (shared timeout).
Store the OpenSSH PEM private key in a custom string field named ssh-key on a KeePass entry.
If the key is encrypted with a passphrase, put the passphrase in the Password field of the same entry.
Enable the agent with --enable-ssh-agent and specify one or more KeePass entry paths with --ssh-key:
seekret-service \
--keepass-path "/path/to/keepassfile.kdbx" \
--enable-ssh-agent \
--ssh-key "path/to/ssh-key-entry" \
--ssh-key "another/ssh-key-entry"The agent listens on a Unix domain socket at $HOME/.seekret-ssh-agent.sock by default.
You can override the socket path with --ssh-agent-sock:
seekret-service \
--keepass-path "/path/to/keepassfile.kdbx" \
--enable-ssh-agent \
--ssh-key "my-ssh-key" \
--ssh-agent-sock /tmp/my-custom-agent.sockPoint the SSH_AUTH_SOCK environment variable at the agent socket:
export SSH_AUTH_SOCK="$HOME/.seekret-ssh-agent.sock"
ssh-add -l # list loaded keys
ssh user@host # authenticate using a KeePass-stored key|
Note
|
Signing requests are denied silently when the authorization timeout has expired.
Trigger a new authorization by making an HTTP request to the service first (e.g. curl http://localhost:8123/some-entry/secret).
|
RUST_LOG=debug cargo run -- --keepass-path test.kdbx --keepass-keyfile test.key --port 8124 --enable-ssh-agent --ssh-key "my-ssh-key"Test-keyfile test.kdbx with password test and keyfile test.key.
Here you can find the entry root_entry1 wich username root-username and password root-password.
You may then request username and password of this test entry using:
curl http://127.0.0.1:8124/root_entry1/username
curl http://127.0.0.1:8124/root_entry1/secretTo automatically update all dependencies and run tests:
./update-dependencies.shThis script will:
-
Update all dependencies to their latest compatible versions
-
Build the project
-
Run all tests
-
Run clippy linter
-
Check code formatting
-
Display a summary of dependency changes
After running the script, review the changes and update CHANGELOG.md if needed.