Keyringer lets you manage and share secrets using GnuPG and Git with custom commands to encrypt, decrypt, recrypt, create key pairs, etc.
- Project page: https://keyringer.pw
- Manpage: keyringer.1
- License: GPLv3+
- Issue tracker: https://keyringer.pw/trac
- Tor hidden service: http://4qt45wbulqipigwa.onion
- Releases: https://keyringer.pw/releases
- Contact: rhatto at riseup.net
- Keyringer: encrypted and distributed secret sharing software
git clone https://git.fluxo.info/keyringer
And then leave it somewhere, optionally adding it to your
$PATH environment variable
or package it to your preferred distro.
If you're using Debian
jessie or newer, just run
apt-get install keyringer
The first step is to setup a keyring.
Keyringer supports management of multiple isolated keyrings. To start a new keyring (or register an existing one with your config file), run:
keyringer <keyring> init <path> [remote]
- Add an entry at
$HOME/.keyringer/configaliasing 'keyring' to 'path'.
- Initialize a git repository if needed.
keyringer friends init $HOME/keyrings/friends
creates an alias "friends" pointing to
other keyring actions for this keyring should be called using this alias.
If there is an existing remote keyring git repository and you just want to checkout it, use
keyringer friends init $HOME/keyrings/friends <repository-url>
secret has a corresponding file inside
keys subdirectory from the
keyring folder. Keyringer has plenty of actions to operate in these secrets:
Encrypting a secret
keyringer <keyring> encrypt <secret>
Encrypting a secret from a file
keyringer <keyring> encrypt <secret> <plaintext-file>
Decrypting a secret (only to stdout)
keyringer <keyring> decrypt <secret>
Re-encrypting a secret or the whole repository
keyringer <keyring> recrypt [secret]
Appending information to a secret
keyringer <keyring> append <secret>
Editing a secret
keyringer <keyring> edit <secret>
Use this option with caution as it keeps temporary unencrypted data into a temporary folder.
keyringer <keyring> ls [arguments]
Keyringer comes with a simple git wrapper to ease common management tasks:
keyringer <keyring> git remote add keyringer <url> keyringer <keyring> git push keyringer master keyringer <keyring> git pull
Basic keyringer operation depends in a set of configuration files:
Main config file:
$HOME/.keyringer/config: store the location of each keyring.
User preferences per keyring:
$HOME/.keyringer/<keyring>: managed by "keyringer preferences". Preferences aren't shared among users, so each user can have it's own set of preferences.
Custom keyring options:
$KEYRING_FOLDER/config/options: managed by "keyringer options". Options are shared among all keyring users.
$KEYRING_FOLDER/config/recipients/: controls the list of OpenPGP public key fingerprints that should be used when encrypting content. Multiple recipients are supported, so secrets can be encrypted to different sets of OpenPGP pubkeys in the same keyring.
Other configuration parameters used by keyringer and it's actions are stored at
If you want to use a different key other than your default for a given keyringer, use
keyringer <keyring> preferences add KEYID=<fingerprint>
keyringer <keyring> preferences add KEYID=0123456789ABCDEF0123456789ABCDE012345678
Keyringer uses the
default recipient stored at
as the standard list of OpenPGP public key fingerprints to which secrets should be encrypted.
Additionally, keyringer supports multiple
recipient files which can have a different set
of OpenPGP public key fingerprints used for encryption.
Recipients are matched against secrets according to it's path. If there exists a recipient
accounting, the following secret will be encrypted using it's OpenPGP public key
keyringer <keyring> encrypt accounting/balance
In other words, the
accounting recipient file is used because the secret name begins
So it's the case that recipients listed in the
default recipient but not in the
accounting recipients won't be able to decrypt this secret.
When you first initalized your keyring, keyringer might have asked you to populate
default recipient list or you cloned a keyring repository which already has
If you want more recipient files, your next step is tell keyringer the OpenPGP key IDs to encrypt files to:
keyringer <keyring> recipients edit [recipient-name] keyringer <keyring> recipients ls
Remember that keyringer support multiple recipients in a per-folder style. Try it by creating a sample recipient file:
keyringer <keyring> recipients edit closest-friends
Fill it with your friends key IDs. Now encrypt a secret just for then:
keyringer <keyring> encrypt closest-friends/secret
In other words, if keyringer finds a recipient file matching a given path, it will use it instead of the global recipients file.
You can even create recipient files with your friends' key IDs but without yours: then you shall be able to encrypt secrets for them that even you cannot access. Try to find an use case for that
Each recipient list is defined in a file placed at
config/recipients in your
keyring repository. Take care to add just trustable recipients.
Keyringer's basic concepts are as follows:
Each secret is encrypted using multiple users's OpenPGP public keys and commit the output in a git repository we call a "keyring".
A "recipient" a list of OpenPGP keys associated with a path in the keyring, so each keyring can have multiple recipient definitions so secret compartmentalization is builtin. All encryption should respect recipient definition.
Users can keep their keyring copies in sync using any git remote and push/pull strategy they like, so key sharing gets easy.
A secret is not limited to passphrases or text: keyringer supports any file encryption, so managing private keys, spreadsheets and media files are handled without distinction.
Secret is stored with OpenPGP ASCII-armoured output, so one doesn't need any special program besides GnuPG to actually decrypt information.
Keyringer is agnostic about how you store your secrets. You may choose to have one encrypted file that contains one line for each secret, e.g. a single file called secrets with lines such as:
emma : root : secret1 emma - /dev/hda : : secret2
Or you may also have a different encrypted file for each secret, e.g. a file called
emma.rootthat contains the root passphrase for the server named
emmaand another called
emma.hdawith the passphrase to decrypt
Creating a logical structure to store your secrets is up to you
Keyringer can be used as a personal or shared password/secret manager:
Each keyring is a full git repository used to store encrypted secrets using ASCII-armoured OpenPGP.
encryptallows you to paste your secrets directly to GnuPG so no plaintext is written to disk.
By commiting, pushing and pulling each keyring repository, you can easily share secrets with other people and systems and they don't need to decrypt this information until they need.
In summary, keyringer data store is basically gpg-encrypted data atop of a git repository (one can think of a kind of distributed encrypted filesystem).
Git was chosen to host encrypted info mostly for two reasos: easy to distribute and its the only VCS known to make easier repository history manipulation.
Optional dependencies if you want to manage ssl keys: