The vault
sub-command is quite a complex one as it implements all interactions with vaults.
A vault contains shared secrets, and is compatible to the unix password manager.
It provides subcommands for dealing with two kinds of items
- resources
- recipients
About Resources
Most of the time, when using the vault, you will deal with the resources contained within. A resource is an encrypted secret so that it is readable and writable by all recipients.
Resources can be added, removed, edited, listed and shown.
As they are used most of the time, they are found directly in the vault
sub-command.
About Recipients
Each recipient is identified by their gpg-key, which is tied to their identity. New recipients can only be added by existing recipients of the vault, which also requires them to verify that the new key truly belongs to the respective person.
Recipients may indicate trust-relationships between each other, which allows
to encrypt for recipients whose keys have not been explicitly verified.
This is called the Web of trust, a feature that sheesy
makes easier to use.
As they are used less often, they are tucked away in the recipients
sub-command.
The vault sub-command
As the vault
sub-command is only a hub, we recommend you to look at its sub-commands
instead.
sy vault --help
sy-vault 4.0.10
Sebastian Thiel <byronimo@gmail.com>
Various commands to store and retrieve secrets and control who has access.
USAGE:
sy vault [OPTIONS] --config-file <path> [SUBCOMMAND]
FLAGS:
-h, --help Prints help information
OPTIONS:
-s, --select <selector> Specify the vault which should be the leader.This is particularly relevant for
operations with partitions.It has no effect during 'vault init'.A vault can be selected
by the directory used to stored its resources, by its name (which may be ambiguous), or
by the index in the vault description file. [default: 0]
-c, --config-file <path> Path to the vault configuration YAML file. [default: ./sy-vault.yml]
SUBCOMMANDS:
init Initialize the vault in the current directory. If --gpg-key-id is unset, we will use the only key
that you have a secret key for, assuming it is yours.If you have multiple keys, the --gpg-key-id
must be specified to make the input unambiguous.
add Add a new resource to the vault.
edit Edit a resource. This will decrypt the resource to a temporary file, open up the $EDITOR you have
specified, and re-encrypt the changed content before deleting it on disk.
show Decrypt a resource
list List the vault's content.
remove Delete a resource from the vault.
recipients Interact with recipients of a vault. They can encrypt and decrypt its contents.
partitions A partition is essentially another vault, as such it has its own recipients list, name, keys
directory place to store resources.Its major promise is that it is non-overlapping with any other
partition.Its main benefit is that it allows one recipients list per resource directory,
effectively emulating simple access control lists.
help Prints this message or the help of the given subcommand(s)