The vault sub-command is quite a complex one as it implements all interactions with vaults. A vault contains shared secrets, and is compatible to the unix password manager.

It provides subcommands for dealing with two kinds of items

  • resources
  • recipients

About Resources

Most of the time, when using the vault, you will deal with the resources contained within. A resource is an encrypted secret so that it is readable and writable by all recipients.

Resources can be added, removed, edited, listed and shown.

As they are used most of the time, they are found directly in the vault sub-command.

About Recipients

Each recipient is identified by their gpg-key, which is tied to their identity. New recipients can only be added by existing recipients of the vault, which also requires them to verify that the new key truly belongs to the respective person.

Recipients may indicate trust-relationships between each other, which allows to encrypt for recipients whose keys have not been explicitly verified. This is called the Web of trust, a feature that sheesy makes easier to use.

As they are used less often, they are tucked away in the recipients sub-command.

The vault sub-command

As the vault sub-command is only a hub, we recommend you to look at its sub-commands instead.

sy vault --help
sy-vault 4.0.10
Sebastian Thiel <byronimo@gmail.com>
Various commands to store and retrieve secrets and control who has access.

USAGE:
    sy vault [OPTIONS] --config-file <path> [SUBCOMMAND]

FLAGS:
    -h, --help    Prints help information

OPTIONS:
    -s, --select <selector>     Specify the vault which should be the leader.This is particularly relevant for
                                operations with partitions.It has no effect during 'vault init'.A vault can be selected
                                by the directory used to stored its resources, by its name (which may be ambiguous), or
                                by the index in the vault description file. [default: 0]
    -c, --config-file <path>    Path to the vault configuration YAML file. [default: ./sy-vault.yml]

SUBCOMMANDS:
    init          Initialize the vault in the current directory. If --gpg-key-id is unset, we will use the only key
                  that you have a secret key for, assuming it is yours.If you have multiple keys, the --gpg-key-id
                  must be specified to make the input unambiguous.
    add           Add a new resource to the vault.
    edit          Edit a resource. This will decrypt the resource to a temporary file, open up the $EDITOR you have
                  specified, and re-encrypt the changed content before deleting it on disk.
    show          Decrypt a resource
    list          List the vault's content.
    remove        Delete a resource from the vault.
    recipients    Interact with recipients of a vault. They can encrypt and decrypt its contents.
    partitions    A partition is essentially another vault, as such it has its own recipients list, name, keys
                  directory place to store resources.Its major promise is that it is non-overlapping with any other
                  partition.Its main benefit is that it allows one recipients list per resource directory,
                  effectively emulating simple access control lists.
    help          Prints this message or the help of the given subcommand(s)