A secret environment management
Treat your secrets like password
We live in a devops world, the devops world is awesome, so many neat tools and deployment management, API, ...
Many vendors will treat the security as "next vendor's problem".
As a user, we end-up with many dotfiles containing critical API keys in
plain-text, or we just
export BASH_VARS=SeCrEt, and the secret end-up in
On another side, we start to implement saner password management policies,
thanks to tools such as
lastpass, and so many
Let's try to fix it.
Denver is super simple and tool-agnostic script which let you export the
environment variables AWS and Vault love so much, from your password manager
(granted it offers you a way to write it to
stdout). And set an alias
fdenver) to forget about it when you're done (or just close the terminal,
I'm not your boss)
It's currently a WIP (work in progress), but due to being a pretty dumb wrapper around more mature tools, you can start to use it safely with actual secrets.
It could work, with some effort, in windows, but it's out of scope for now.
demo.cfg file can be copied to
pip install denver
Please do use a virtual environment.
on the password manager side
Store a secret in the form of:
If you use keepass, use the
on denver side
Adapt the command to your use-case, examples are provided for
It should work without any problem in any shell providing subshell support (ie. bash and zsh)
If your environment already has a variable with the same name in its scope,
denver won't overwrite it, nor set it to be unset.
# source it from a subshell source <(denver.py -n NAME) # display the commands denver.py -n NAME [ keep the space as 1st char if you copy/paste those commands so they're not appended to your .history file ] # look at the variables being correctly set up: env # forget about these fdenver
XXXX marks the spot
You can see 'XXXX' in command parameters, they're magic-value, and will be
replaced with the
-n key, or
--name key) parameter at runtime.
Haven't you tried this already ?
a note about stdin password prompts
You can't (easily) reach the subshell's stdin, it means you should use an
external prompt program if the password tool give an interactive prompt, use a
graphical tool in order to pipe your password there (cf.
- there's no context awareness, if you run it twice with different variables
fdenveralias won't be properly created, and will fail to unset every variables (should you be in that situation : just exit the damn shell)
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.