A GPG-based secret storing/sharing library
Project description
Harpo
Description
Harpocrates (Ancient Greek: Ἁρποκράτης) was the god of silence, secrets and confidentiality.
Harpo is GPG-based secret storage/sharing library.
It is aims to be a convenient wrapper around GPG and tries to solve following problems:
- Store secrets in a repository (currently only git is supported) in a secure manner
- Provide role-based access to the stored secrets
- Provide an easy way to reencrypt secrets
It was inspired by blackbox by StackExchange.
Installation
Harpo is available at pypi.org and can be installed with pip:
pip install harpo
Quick start
Initialization
Suppose we have some git repository:
$ git rev-parse --is-inside-work-tree
true
Then we can initialize harpo right away with:
harpo initialize
This command will create necessary directory structure and bootstrap it with some default groups and domains:
[INFO] Initializing at /home/user/my_repo/.harpo
[INFO] Add domain: all
[INFO] Create group: all
[INFO] Create group: adm
[INFO] OK
Add users
Now it's time to add the first users. Harpo will look into your GPG public keyring and will try importing public keys from there.
harpo add user <Key ID> -g adm
Key ID can be any string, that identifies your key: email, surname, id, etc.
Let's say you have a key with email mr.robot@example.com
:
harpo add user mr.robot -g adm
[INFO] Importing key A8.....0 - Mister Robot <mr.robot@example.com>
[INFO] Add user 'Mister Robot <mr.robot@example.com>' to group 'adm'
[INFO] Add user 'Mister Robot <mr.robot@example.com>' to group 'all'
[INFO] Reencrypting everything!
Note, that we also indicated, that we want this user to be added to the adm
group.
Also every user belongs to group all
Encrypt some stuff
harpo encrypt all/my_password hunter2
This will create a new GPG encrypted file at .harpo/domains/all/my_password
.
Note:
You can also encrypt entire files with encrypt-file
:
harpo encrypt-file all/bobs_password /home/alice/Downloads/bobs_password
Decryption
harpo decrypt all/my_password
It will print the secret's contents to the STDOUT:
$ harpo decrypt all/my_password
hunter2
Add domains
Let's create another domain for our development-related secrets and another for production.
harpo add domain dev
harpo add domain prod
This will create .harpo/domains/dev
and .harpo/domains/prod
.
Add groups
harpo add group developers
Granting access
Currently only group adm
has access to both dev
and prod
domains.
Lets change this by allowing group developers
to read secrets in domain dev
:
harpo allow -g developers dev
Now if you add users to developers
group, they all will be able
to decrypt secrets in dev
domain:
harpo add user mr.developer -g developers
Reencrypting
Harpo automatically reencrypts secrets when it's appropriate. If you want to trigger reencryption manually, run:
harpo reencrypt
Terminology
Secret
Secret — is a GPG encrypted file, stored inside a domain.
Its recipients list always contains users from group adm
and other recipients that are allowed to read secrets in its domain.
Domain
Domains provide a way to group secrets: all secrets inside a given domain have the same list of recipients. User can specify which groups/users can read secrets in a given domain.
There is one system domain created by default: all
.
Its purpose is to store secrets, that can be decrypted by any existing user.
Group adm
can decrypt any secrets in any domain.
User
Basically it's just a GPG recipient. Harpo identifies users by looking into its GPG public keyring located at .harpo/keychain/pubkeyring.gpg
Group
Group — is a list of users. There are two special system groups: all
and adm
. They have following properties:
- Every user belongs to
all
, hence can decrypt any secret inall
special domain, - And
adm
can decrypt any secret in any domain
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.