A lightweight, secure CLI secret manager built in Rust with an interactive Terminal UI (TUI) for Ubuntu Server VPS environments and beyond.
- AES-256-GCM encryption for all stored secrets
- PBKDF2 key derivation from master password with configurable iterations
- Secure password validation with strength checking
- Zeroized memory for sensitive data handling
- Audit logging for all secret operations
- Beautiful Terminal UI built with ratatui
- Colored CLI output for better navigation
- Interactive secret management with keyboard shortcuts
- Search functionality with real-time filtering
- Context-aware help system
- CRUD operations (Create, Read, Update, Delete)
- Categorization and tagging for organization
- Secret expiration with automatic detection
- Bulk operations and batch processing
- Metadata tracking (creation, access, update times)
- Automatic secret rotation with configurable policies
- Health monitoring for expired/weak secrets
- Automated backups with encryption
- Import/Export in multiple formats (JSON, CSV)
- High availability through backup replication
- Rust 1.70+ (for building from source)
- A terminal that supports colors and unicode
git clone https://github.com/RayburnCode/secret_parser.git
cd secret_parser/secret_cli
cargo build --release
sudo cp target/release/secret_cli /usr/local/bin/secretsecret init
# Follow the prompts to set your master passwordsecret add database-password --category "Database" --description "Production DB password"
# Enter the secret value when promptedsecret listsecret uisecret add api-key \
--category "API" \
--description "Stripe API key for payments" \
--tags "stripe,payment,production" \
--expires "2024-12-31T23:59:59Z"secret add user-password --generate --length 32secret get api-key --full # Show all metadata
secret get api-key --copy # Copy to clipboard (requires clipboard support)secret update api-key --value "new-api-key-value" --category "Payment"secret search "stripe" # Search by name, category, description, or tags
secret list --category "API" # Filter by category
secret list --expired # Show only expired secretssecret health check # Comprehensive health report
secret health expired # List expired secrets
secret health weak # Find weak passwords
secret health duplicates # Find duplicate secret valuessecret rotate list # Show rotation status
secret rotate secret api-key # Rotate a specific secret
secret rotate policy api-key --days 90 --auto # Set rotation policysecret backup create # Manual backup
secret backup schedule --interval 6 # Auto-backup every 6 hours
secret backup restore backup-file.bak # Restore from backupsecret export secrets.json --format json --encrypt
secret import secrets.json --format json --merge
secret export secrets.csv --format csv --metadatasecret audit show --limit 100 # Show recent audit entries
secret audit show --failed # Show only failed operations
secret audit export audit.json # Export audit logLaunch the interactive Terminal UI with:
secret ui↑/k- Move up↓/j- Move downEnter- View secret detailsa- Add new secretd- Delete selected secret/- Search secretsh/F1- Toggle helpEsc- Go backq- Quit
- Real-time search filtering
- Colored status indicators (OK, EXPIRED, TEMP)
- Interactive forms for adding secrets
- Sortable columns
- Help overlay
secret creates a configuration file at ~/.config/secret/config.json:
{
"store_path": "~/.secret/store.enc",
"backup_path": "~/.secret/backups/",
"auto_backup": true,
"backup_interval_hours": 6,
"max_backups": 10,
"audit_log_enabled": true,
"audit_log_path": "~/.secret/audit.log",
"encryption_iterations": 100000
}- Strong Master Password - Use a unique, strong password for your secret store
- Regular Backups - Enable automatic backups to prevent data loss
- Audit Reviews - Regularly review audit logs for suspicious activity
- Access Control - Secure the host system where secrets are stored
- Rotation Policy - Implement regular secret rotation for sensitive credentials
- Encrypted at Rest - All secrets encrypted with AES-256-GCM
- Memory Protection - Sensitive data zeroized after use
- Audit Trail - Complete logging of all secret operations
- Master Password - Single point of authentication
- File Permissions - Relies on OS file permission security
┌─────────────────┐ PBKDF2 ┌──────────────────┐
│ Master Password │─────────────→│ Encryption Key │
└─────────────────┘ └──────────────────┘
│
│ AES-256-GCM
▼
┌─────────────────┐ ┌──────────────────┐
│ Secret Store │◄──────────────│ Encrypted Store │
│ (JSON in memory)│ │ (File on disk) │
└─────────────────┘ └──────────────────┘
# Mount secrets into containers
docker run -v ~/.secret:/secrets myapp
# Use init containers to fetch secrets
docker run --rm -v secrets:/shared secret get api-key > /shared/api-key- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
⚡ Fast • 🔒 Secure • 🖥️ Terminal-Native • 🦀 Rust-Powered