Share read-once and time-limited secrets, configurations or small files with your coworkers or customers.
vshare uses vault and response-wrapping tokens to simplify this.
Vshare will use your VAULT_TOKEN
and VAULT_ADDR
environment variables to put the secret in the cubbyhole/vshare-nanosecondtimestamp
key.
We will then read the cubbyhole/vshare-nanosecondtimestamp
to get a response-wrapping token with your specified TTL (default 15m) which can be used only once to get the secret back.
Latest binaries here
Needs the vault server address and a valid token
export VAULT_ADDR=https://yourvaultserver.tld
export VAULT_TOKEN=avaulttoken
$ vshare
Enter your secret to share: mysecret
This secret will self destruct when read or after 15m.
The token to share is s.o6dEYyNgjFEVJMtbGHHjLlzA
Needs the vault server address
export VAULT_ADDR=https://yourvaultserver.tld
$ vshare s.o6dEYyNgjFEVJMtbGHHjLlzA
The secret is: mysecret
User A wants to share a secret with user B who maybe doesn't have direct vault access
Needs the vault server address and the hostname vshare is running on. vshare doesn't support TLS directly so put it behind a proxy eg caddy.
export VAULT_ADDR=https://yourvaultserver.tld
export VSHARE_URL=https://yourvshareserver.tld
vshare -web -webport ":8080"
vault server: https://yourvaultserver.tld
vshare server URL: https://yourvshareserver.tld
⇨ http server started on [::]:8080
export VAULT_ADDR=https://yourvaultserver.tld
export VSHARE_URL=https://yourvshareserver.tld
export VAULT_TOKEN=avaulttoken
Enter your secret to share: mysecret
This secret will self destruct when read or after 15m.
The token to share is s.ikctGfmUZ9Yv3wEmUfTtsfyH
Or via web https://yourvshareserver.tld/info/s.ikctGfmUZ9Yv3wEmUfTtsfyH
https://yourvshareserver.tld/info/s.ikctGfmUZ9Yv3wEmUfTtsfyH
$ vshare -ttl 1h
Enter your secret to share: blah
This secret will self destruct when read or after 1h.
The token to share is s.2iP1z415d64THmM8iksUSxvU
Or via web https://yourvshareserver.tld/info/s.2iP1z415d64THmM8iksUSxvU
$ ls -al mystuff.zip
-rw-r--r-- 1 wim wim 14269 Apr 28 21:16 mystuff.zip
$ vshare -ttl 30m -file mystuff.zip
This secret will self destruct when read or after 5m.
The token to share is s.R9UKV5WAdQhXRDGo4EYqzrcc
Or via web https://yourvshareserver.tld/info/s.R9UKV5WAdQhXRDGo4EYqzrcc
When retrieving it, vshare knows it's a file and will prompt you to save it instead of showing on stdout
$ vshare s.R9UKV5WAdQhXRDGo4EYqzrcc
The secret is a file, enter a filename to safe the output in (default: "vshare.output"): secret.zip
$ ls -al secret.zip
-rw------- 1 wim wim 14269 Apr 28 21:19 secret.zip
./vshare: wraps your secret in a single-use token.
Needs VAULT_ADDR and VAULT_TOKEN env variable.
./vshare :will ask you for your secret
./vshare <token> :will reveal the secret wrapped in <token>
flags:
-file string
will use the content of <file> as the secret
-ttl string
ttl of the token (default "15m")
-web
run as webserver. Needs VAULT_ADDR and VSHARE_URL env variable
-webport string
<ip>:<port> to listen on as webserver (default ":80")