A Kubernetes controller and tool for one-way encrypted Secrets.

Problem: "I can manage all my K8s config in git, except Secrets." Solution: Encrypt your Secret into a SealedSecret, which is safe to store - even inside a public repository. The SealedSecret can be decrypted only by the controller running in the target cluster and nobody else (not even the original author) is able to obtain the original Secret from the SealedSecret.

Secure Credential Sharing.

Share sensitive credentials and secrets securely with client-side AES-256 encryption, zero-knowledge architecture, and automatic self-destruction.

• DELE.TO @ GitHub.

Check if your email address has been exposed in a data breach.

Related contents:

• Troy Hunt - L'histoire du créateur de Have I Been Pwned @ Korben :fr:.

Bundle and save your SSH keys with Nix. This flake provides a way to encrypt and bundle your SSH keys and SSH config in a readable format!

Shoji-Nix is a Nix flake designed to manage and securely store your SSH keys. With Shoji-Nix, you can bundle your SSH configuration and .ssh folder into a YAML file which can then be encrypted and saved in your repository.

Declarative secrets, every environment, any provider.

SecretSpec separates the declaration of what secrets an application needs from where they are stored, enabling portable applications that work across different secret storage backends without code changes.

• SecretSpec @ GitHub.

Related contents:

• Announcing SecretSpec: Declarative Secrets Management @ devenv.

Use @decorator comments in your .env file(s) to create a declarative schema for your config and a new function call syntax to securely load secrets from external sources.

Varlock is our tool that uses this parser to actually load your .env files, and then applies the schema that you have defined. It is a CLI, library, and will communicate with a native Mac application that enables using biometric auth to securely encrypt your local secrets.

• varlock @ GitHub.

SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP

• SOPS @ GitHub.
• pre-commit-hook-ensure-sops @ GitHub.

Scan for secrets in dangling commits on GitHub using GH Archive data.

This tool scans for secrets in dangling (dereferenced) commits on GitHub created by force push events. A force push occurs when developers overwrite commit history, which often contains mistakes, like hard-coded credentials. This project relies on archived force push event data in the GHArchive to identify the relevant commits.

Related contents:

• Guest Post: How I Scanned all of GitHub’s “Oops Commits” for Leaked Secrets @ Truffle Security.
• Comment un hacker a scanné tous les commits "oops" de GitHub et trouvé 25k$ de secrets @ Korben :fr:.

Kingfisher is a blazingly fast secret‑scanning and validation tool built in Rust. It combines Intel’s hardware‑accelerated Hyperscan regex engine with language‑aware parsing via Tree‑Sitter, and ships with hundreds of built‑in rules to detect, validate, and triage secrets before they ever reach production.

Related contents:

• MongoDB Launches an Open Source Real-Time Secret Scanner @ It's FOSS News.

One-Time Information Sharing.Encrypted Secret Sharing.

Share sensitive information securely with a link that can only be viewed once.

• 🔐 OTI - One Time Information @ GitHub.

Cloud native secrets management for developers - never leave your command line for secrets.

Never leave your terminal to use secrets while developing, testing, and building your apps.

Instead of custom scripts, tokens in your .zshrc files, visible EXPORTs in your bash history, misplaced .env.production files and more around your workstation -- just use teller and connect it to any vault, key store, or cloud service you like (Teller support Hashicorp Vault, AWS Secrets Manager, Google Secret Manager, and many more).

Manage ansible-vault passwords securely with Bitwarden CLI .

Fur-ociously Secure, Paw-sitively Adorable!

The purr-fect way to keep your secrets fur-ever safe, straight from the meow-th of your computer to your fur-ends' paws! A fur-ociously secure encryption tool that encodes your secrets as adorable cat and dog sounds, using real elliptic curve cryptography with a playful disguise.

External Secrets Operator reads information from a third-party service like AWS Secrets Manager and automatically injects the values as Kubernetes Secrets.

• External Secrets Operator @ GitHub.

Related contents:

• (Almost) Every infrastructure decision I endorse or regret after 4 years running infrastructure at a startup @ Jack's home on the web.
• How Maintainer Burnout Is Causing a Kubernetes Security Disaster @ The New Stack.

Cross-platform secret & config manager for development and CI environments

Novops, the universal secret and configuration manager for development, applications and CI.

• Novops @ GitHub.

Related contents:

• Novops facilite l'accès aux secrets @ DevSecOps :fr:.

One-Time-Secret sharing platform with a symmetric 256bit AES encryption in the browser

ots is a one-time-secret sharing platform. The secret is encrypted with a symmetric 256bit AES encryption in the browser before being sent to the server. Afterwards an URL containing the ID of the secret and the password is generated. The password is never sent to the server so the server will never be able to decrypt the secrets it delivers with a reasonable effort. Also the secret is immediately deleted on the first read.

• OTS - One Time Secrets @ GitHub.

Secure password & seedphrase manager on smartcard 🔐

Seedkeeper lets you effortlesly store all your passwords and protect your digital life so you can sleep on both ears.

Source: SeedKeeper - La carte à puce qui sécurise vos mots de passe @ Korben :fr:.

Paste a password, confidential message, or private data. Keep your sensitive information out of chat logs, emails, and more with encrypted secrets.

Hemmelig is a encrypted sharing platform that enables secure transmission of sensitive information. All encryption occurs client-side using TweetNaCl, ensuring your data remains encrypted before it reaches our servers. The platform supports both personal and organizational use cases, with features like IP restrictions, expiration controls, and optional password protection. Whether you're sharing credentials, sensitive messages, or confidential files, Hemmelig strives to ensure your data remains private and secure.

• Hemmelig.app @ GitHub.

Secrets for developers.

Dotenv is a zero-dependency module that loads environment variables from a .env file into process.env. Storing configuration in the environment separate from code is based on The Twelve-Factor App methodology.

• Dotenv @ GitHub.

Telling tales on you for leaking secrets!.

Squealer scans a git repository or filesystem for secrets that are being leaked deep within the commit history.

Generate JWT Secrets Online

Quickly generate secure JWT secrets with a single click.

Using a pre-commit hook, Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys.

Talisman is a tool that scans git changesets to ensure that potential secrets or sensitive information do not leave the developer's workstation. It validates the outgoing changeset for things that look suspicious - such as potential SSH keys, authorization tokens, private keys etc.

• Talisman @ GitHub.

A Python program to scrape secrets from GitHub through usage of a large repository of dorks.

GitDorker is a tool that utilizes the GitHub Search API and an extensive list of GitHub dorks that I've compiled from various sources to provide an overview of sensitive information stored on github given a search query.

The Primary purpose of GitDorker is to provide the user with a clean and tailored attack surface to begin harvesting sensitive information on GitHub. GitDorker can be used with additional tools such as GitRob or Trufflehog on interesting repos or users discovered from GitDorker to produce best results.

A multi-vault secret injection tool for safely injecting secrets into app environment.

Whispr (Pronounced as whisper) is a CLI tool to safely inject secrets from your favorite secret vault (Ex: AWS Secrets Manager, Azure Key Vault etc.) into your app's environment. This is very useful for enabling secure local software development.

Flask-Vault is a robust library that empowers Flask applications to securely store and manage sensitive credentials. It provides a set of CLI commands for storing secrets using AES-GCM symmetric encryption, ensuring that vital information like API keys and database credentials remain protected.

Flask-Vault provides several cli commands and Python functions to store secrets that you do not want to keep in the clear, using symmetric encryption with AES-GCM. These commands and functions allow you to safely read/write very important credentials such as API keys, database credentials, etc.

An enterprise friendly way of detecting and preventing secrets in code.

detect-secrets is an aptly named module for (surprise, surprise) detecting secrets within a code base.

Git Security Scanning & Secrets Detection.

• ggshield @ GitHub.
• Doctolib divise par deux ses incidents de sécurité liés aux secrets@ LeMagIT :fr:.

Centralized Cloud-Based Secrets Management Platform.

Securely manage, orchestrate, and govern secrets at scale with Doppler’s developer-first cloud hosted platform.

• Doppler CLI @ GitHub.

Related contents:

• 10 CLI apps that have actually improved the way I work in the terminal @ Dreams of Code's YouTube.

Open Source Secret Management. All-in-one platform to securely manage application configuration and secrets across your team and infrastructure.

♾ Infisical is the open-source secret management platform: Sync secrets across your team/infrastructure, prevent secret leaks, and manage internal PKI.

• Infisical @ GitHub.

Tang binding daemon.

Tang is a server for binding data to network presence.

This sounds fancy, but the concept is simple. You have some data, but you only want it to be available when the system containing the data is on a certain, usually secure, network. This is where Tang comes in.

• Clevis/Tang: unattended boot of an encrypted NixOS system @ FOSDEM.
• Clevis & Tang on NixOS
• Episode 572: Data Security Only a Maniac Could Love @ Linux Unplugged.

Gitleaks is a fast, light-weight, portable, and open-source secret scanner for git repositories, files, and directories.

• Gitleaks @ GitHub.

Related contents:

• Gitleaks : Evitez le vol de secrets sur Git ! @ Geeek.org :fr:.
• I'm Switching to Python and Actually Liking It @ César Soto Valero.

get things from one computer to another, safely.

This package provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another. The two endpoints are identified by using identical "wormhole codes": in general, the sending machine generates and displays the code, which must then be typed into the receiving machine.

• Magic Wormhole @ Read the Docs.

Sources:

• Wormhole: Transférer des Secrets @ Culture et Outils DevSecOps :fr:
• PGP - Je ne chiffre plus les emails @ 9x0rg :fr:.

Securely Send a Password.

🔐 An application to securely communicate passwords over the web. Passwords automatically expire after a certain number of views and/or time has passed. Track who, what and when.

• Password Pusher @ GitHub.
• 6 outils de FOU pour les DEVS 🤯 @ YoanDev's YouTube.

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys.

• OpenBao @ GitHub.

Related contents:

• OpenBao (Hashicorp Vault Fork effort) FAQ @ LF Edge.
• Open source forkers stick an OpenBao in the oven @ The Register.
• Vault on Kubernetes using OpenBao @ nanibot.net.

Sealed Secrets provides declarative Kubernetes Secret Management in a secure way. Since the Sealed Secrets are encrypted, they can be safely stored in a code repository. This enables an easy to implement GitOps flow that is very popular among the OSS community.

• Sealed Secrets @ GitHub.
• Chiffrer ses YAML avec Sealed Secrets @ Une Tasse de Café.

Leak Detection In The DevOps Pipeline

• Avec le service gratuit « Has My Secret Leaked? », vérifiez si vos secrets ont fuité sur GitHub ! @ IT-Connect.fr :fr:.

Simple and flexible tool for managing secrets.

SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.

• SOPS la solution de gestion de secret DevOps ? @ DamyR :fr:.

Manage Secrets & Protect Sensitive Data

Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.

• Vault @ GitHub.

Related contents:

• How To Centralize Kubernetes Secrets Management With Vault @ The New Stack.
• From key sprawl to scalable control: Rethinking SSH access @ Hashicorp's The Stack.

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Vault presents a unified API to access multiple backends: HSMs, AWS IAM, SQL databases, raw key/value, and more.

• HashiCorp Vault @ GitHub.

Related contents:

• Cracking the Vault: how we found zero-day flaws in authentication, identity, and authorization in HashiCorp Vault @ Cyata.
• No More Hardcoded Secrets: Automatic Database Credential Rotation with Vault, AKS and Postgres🔐 @ Poojan Mehta.