Rumor

A small tool for generating, encrypting, and managing secrets.

Rumor allows you to create and renew secrets using a specification. The specification contains instructions for Rumor for how to import existing secrets, generate or renew secrets and export those secrets in that order.

All imports, generations and exports happen in the order of execution as specified in the specification.

Installation

Rumor is available as the default nix package of the Rumor flake. Rumor is supported on all default systems.

Invoking

You can invoke Rumor in two ways:

  1. rumor <path>: This tells Rumor to load the specification from the given path. Supported formats are json, yaml and toml. Rumor automatically detects the format of the specification via the file extension.
  2. ... | rumor stdin <format>: This tells Rumor to load the specification from standard input. In this mode you have to tell Rumor the format of the specification.

In both modes, rumor has two optional arguments:

  • --stay: By default, Rumor will create a temporary directory and change its directory to it. You can instruct Rumor to stay in the directory in which it was invoked by passing this argument.
  • --keep: By default, Rumor will delete the contents of the working directory at the end of its execution. This is a safety precaution so that your filesystem doesn't contain secrets in plaintext for anyone to see after it is done with work. You can disable this behavior by passing this argument.

Rumor also allows you to invoke all of the importers, generators and exporters on their own which will be described in the following chapters. Please note, however, that while rumor does some have safety precautions when using it in the main two ways as described here, invoking the importers, generators and exporters by themselves is done with minimal safety precautions which is limited to setting file permissions on generated files.

Specification

Here is an example of the specification in TOML format:

[[imports]]
importer = "copy"
arguments.path = "../id"
arguments.to = "id"
arguments.allow_fail = true

[[imports]]
importer = "copy"
arguments.from = "../key"
arguments.to = "key"
arguments.allow_fail = true

[[generations]]
generator = "id"
arguments.name = "id"
arguments.length = 16

[[generations]]
generator = "key"
arguments.name = "key"
arguments.length = 32
arguments.renew = true

[[exports]]
exporter = "copy"
arguments.from = "id"
arguments.to = "../id"

[[exports]]
exporter = "copy"
arguments.from = "key"
arguments.to = "../key"

This specification will instruct Rumor to do the following:

  1. Copy the ../id and then ../key files into the working directory while allowing Rumor to fail if the files do not exist (useful when generating secrets for the first time) time)

  2. Generate the id file with the contents of a alphanumeric identifier of length 16 if it doesn't exist

  3. Generate the key file with the contents of a alphanumeric key of length 32 overwriting the original if it exists (renewal)

  4. Copy the id file into ../id and then the key file into ../key overwriting the original files if they exist

Rumor validates every specification against the schema.json file.

Importers

The following are all available importers in Rumor. The type corresponds to the importer field in the specification.

Copy

Uses cp -f to copy a file.

  • Type: copy
  • Arguments:
    • from (path): From where to copy the file.
    • to (path): Where to put the file.
    • allow_fail (boolean, = false): Allow failing to copy the file.

Vault

Uses medusa to import multiple files from Vault.

  • Type: vault
  • Arguments:
    • path (string): Vault path where to load files from. The path will get suffixed with a current key because it lets the corresponding vault exporter to export multiple versions of the same secrets.
    • allow_fail (boolean, = false): Allow failing to load files.

Vault file

Uses Vault CLI to import a single file from Vault.

  • Type: vault-file
  • Arguments:
    • path (string): Vault path where to load files from. The path will get suffixed with a current key because it lets the corresponding vault exporter to export multiple versions of the same secrets.
    • file (string): Key of the file to load.
    • allow_fail (boolean, = false): Allow failing to load file.

Generators

The following are all available generators in Rumor. The type corresponds to the generator field in the specification.

Copy

Copies a file to another location.

  • Type: copy
  • Arguments:
    • from (path): Path to the source file which to copy.
    • to (path): Path to the destination file to copy to.
    • renew (boolean, = false): Whether to renew the copied to file upon subsequent generations.

Text

Generates a plain text file.

  • Type: text
  • Arguments:
    • name (path): Path to the text file.
    • text (string): Contents of the text file.
    • renew (boolean, = false): Whether to renew the text file upon subsequent generations.

JSON

Generates a JSON file.

  • Type: json
  • Arguments:
    • name (path): Path to the JSON file.
    • value (object): Contents of the JSON file.
    • renew (boolean, = false): Whether to renew the JSON file upon subsequent generations.

YAML

Generates a YAML file.

  • Type: json
  • Arguments:
    • name (path): Path to the YAML file.
    • value (object): Contents of the YAML file.
    • renew (boolean, = false): Whether to renew the YAML file upon subsequent generations.

TOML

Generates a TOML file.

  • Type: json
  • Arguments:
    • name (path): Path to the TOML file.
    • value (object): Contents of the TOML file.
    • renew (boolean, = false): Whether to renew the TOML file upon subsequent generations.

Id

Generates an alphanumeric identifier with 644 permissions.

  • Type: id
  • Arguments:
    • name (path): Path where to save the identifier.
    • length (number, = 16, > 0): Length of the identifier.
    • renew (boolean, = false): Whether to renew the identifier upon subsequent generations.

Key

Generates an alphanumeric key with 600 permissions.

  • Type: key
  • Arguments:
    • name (path): Path where to save the key.
    • length (number, = 32, > 0): Length of the key.
    • renew (boolean, = false): Whether to renew the key upon subsequent generations.

Pin

Generates a numeric pin with 600 permissions.

  • Type: pin
  • Arguments:
    • name (path): Path where to save the pin.
    • length (number, = 8, > 0): Length of the pin.
    • renew (boolean, = false): Whether to renew the pin upon subsequent generations.

Linux password

Generates an alphanumeric mkpasswd linux user password with 600 permissions for the plaintext part and 644 for the encrypted part. Uses yescrypt for the encryption algorithm.

  • Type: pin
  • Arguments:
    • private (path): Path where to save the plaintext password.
    • public (path): Path where to save the encrypted password.
    • length (number, = 8, > 0): Length of the password.
    • renew (boolean, = false): Whether to renew the password upon subsequent generations.

Age key

Generates an age key with 600 permissions for the private part and 644 permissions for the public part.

  • Type: age
  • Arguments:
    • private (path): Path where to save the private part.
    • public (path): Path where to save the public part.
    • renew (boolean, = false): Whether to renew the key upon subsequent generations.

SSH key

Generates an SSH key with 600 permissions for the private part and 644 permissions for the public part.

  • Type: ssh-keygen
  • Arguments:
    • name (string): Name (comment) of the SSH key.
    • private (path): Path where to save the private part.
    • public (path): Path where to save the public part.
    • renew (boolean, = false): Whether to renew the key upon subsequent generations.

OpenSSL CA

Generates a self-signed OpenSSL CA with 600 permissions for the private part and 644 permissions for the public part. Uses the ECDSA P-256 (prime256v1) algorithm as that is the recommended algorithm by the mozilla wiki.

  • Type: openssl-ca
  • Arguments:
    • config (path): Path to the CA config.
    • private (path): Path where to save the private part.
    • public (path): Path where to save the public part.
    • days (number, > 0): For how many days will the CA be valid.
    • renew (boolean, = false): Whether to renew the CA upon subsequent generations.

OpenSSL Diffie-Hellman parameters

Generates a OpenSSL Diffie-Hellman parameters file with 600 permissions and 2048 bits.

  • Type: openssl-dhparam
  • Arguments:
    • name (path): Path to the file to be generated.
    • renew (boolean, = false): Whether to renew the parameters file upon subsequent generations.

OpenSSL certificate

Generates an OpenSSL certificate with 600 permissions for the private part and 644 permissions for the public part. Uses the ECDSA P-256 (prime256v1) algorithm as that is the recommended algorithm by the mozilla wiki.

  • Type: openssl
  • Arguments:
    • ca_private (path): Path to the OpenSSL CA private part.
    • ca_public (path): Path to the OpenSSL CA public part.
    • serial (path): Where to save the serial number.
    • config (path): Path to the certificate config. rumor passes the -extensions flag to OpenSSL to ext. Please set ext section to X.509 v3 extensions for the certificate.
    • private (path): Path where to save the private part.
    • public (path): Path where to save the public part.
    • days (number, > 0): For how many days will the certificate be valid.
    • renew (boolean, = false): Whether to renew the certificate upon subsequent generations.

Nebula CA

Generates a self-signed Nebula CA with 600 permissions for the private part and 644 permissions for the public part.

  • Type: nebula-ca
  • Arguments:
    • name (string): Name (subject) of the CA.
    • private (path): Path where to save the private part.
    • public (path): Path where to save the public part.
    • days (number, > 0): For how many days will the CA be valid.
    • renew (boolean, = false): Whether to renew the CA upon subsequent generations.

Nebula certificate

Generates an Nebula certificate with 600 permissions for the private part and 644 permissions for the public part.

  • Type: nebula
  • Arguments:
    • ca_private (path): Path to the Nebula CA private part.
    • ca_public (path): Path to the Nebula CA public part.
    • name (string): Name (subject) of the certificate.
    • ip (string): Certificate IP in CIDR form (ie. 10.8.0.1/24).
    • private (path): Path where to save the private part.
    • public (path): Path where to save the public part.
    • renew (boolean, = false): Whether to renew the certificate upon subsequent generations.

Cockroachdb CA

Generates a self-signed Cockroachdb CA with 600 permissions for the private part and 644 permissions for the public part.

  • Type: cockroach-ca
  • Arguments:
    • private (path): Path where to save the private part.
    • public (path): Path where to save the public part.
    • renew (boolean, = false): Whether to renew the CA upon subsequent generations.

Cockroachdb node certificate

Generates an Cockroachdb node certificate with 600 permissions for the private part and 644 permissions for the public part.

  • Type: cockroach
  • Arguments:
    • ca_private (path): Path to the Cockroachdb CA private part.
    • ca_public (path): Path to the Cockroachdb CA public part.
    • hosts (array of string): Cockroach node IP/DNS names.
    • private (path): Path where to save the private part.
    • public (path): Path where to save the public part.
    • renew (boolean, = false): Whether to renew the certificate upon subsequent generations.

Cockroachdb client certificate

Generates an Cockroachdb client certificate with 600 permissions for the private part and 644 permissions for the public part.

  • Type: cockroach-client
  • Arguments:
    • ca_private (path): Path to the Cockroachdb CA private part.
    • ca_public (path): Path to the Cockroachdb CA public part.
    • private (path): Path where to save the private part.
    • public (path): Path where to save the public part.
    • user (string): CockroachDB user name.
    • renew (boolean, = false): Whether to renew the certificate upon subsequent generations.

Env

Generates an environment file with 600 permissions.

  • Type: env
  • Arguments:
    • name (path): Where to save the environment file.
    • variables (object): Variables to load in the environment file. Each variable value is the name of the file which will be opened, escaped, quoted and put into the environment variable. If the file is not present, the literal value of the variable will be escaped and quoted before being put into the environment variable.
    • renew (boolean, = false): Whether to renew the environment file upon subsequent generations.

Moustache

Generates a file based on a Moustache template with 600 permissions.

  • Type: moustache
  • Arguments:
    • name (path): Where to save the generated file.
    • variables (object): Variables to load for inlining in the generated file. Each variable value is the name of the file which will be opened to be available in the moustache template. If the file is not present, the literal value of the variable will made available in the moustache template.
    • template (string): The Moustache template.
    • renew (boolean, = false): Whether to renew the generated file upon subsequent generations.

SOPS

Generate a YAML SOPS secrets file with 600 permissions and encrypt it via an age key to a file with 644 permissions.

  • Type: sops
  • Arguments:
    • age (path): Path to the age key to use for encryption.
    • private (path): Path where the plaintext secrets will be stored.
    • public (path): Path where the encrypted secrets will be stored.
    • secrets (object): Secrets to store. The secret values are paths to files which will be opened and put in the secrets. If the file is not present, the literal value of the secret will be escaped and quoted before being put into the secrets.
    • renew (boolean, = false): Whether to renew the SOPS file upon subsequent generations.

Exporters

The following are all available exporters in Rumor. The type corresponds to the exporter field in the specification.

Copy

Uses cp -f to copy a file.

  • Type: copy
  • Arguments:
    • from (path): From where to copy the file.
    • to (path): Where to put the file.

Vault

Uses medusa to export multiple files to Vault.

  • Type: vault
  • Arguments:
    • path (string): Vault path where to export files to. The path will get suffixed with a current key and a numeric key containing the current timestamp to allow Rumor to save multiple versions of the same secrets.

Vault file

Uses Vault CLI to export a single file to Vault.

  • Type: vault
  • Arguments:
    • path (string): Vault path where to export files to. The path will get suffixed with a current key and a numeric key containing the current timestamp to allow Rumor to save multiple versions of the same secrets. If the path is already present it patches the current file and makes a new timestamped version of the whole path. If the file is not present, it makes a new secret at path with current and timestamped suffixes for versioning.
    • file (string): Key of the file to export.