Create

ssh-vault create -h

aliases c

INFO

Usage: ssh-vault create [OPTIONS] [vault]

Arguments:
  [vault]  file to store the vault or writes to stdout if not specified

Options:
  -f, --fingerprint <fingerprint>  Create a vault using the key matching the specified fingerprint
  -k, --key <key>                  Path to public ssh key or index when using option -u
  -u, --user <user>                GitHub username or URL, optional [-k N] where N is the key index
  -j, --json                       When using option -u and user 'new', output the vault in JSON format
  -i, --input <FILE>               Create a vault form an existing file
  -h, --help                       Print help

Examples

For sending/sharing a "secret" without knowing the receiver keys you could use the option -u new:

echo "secret" | ssh-vault create -u new

This will output something like this:

echo "SSH-VAULT;CHACHA20-POLY1305;SHA256:Mdhi8BnbjmYmvGRW/zSie6ckw/YLY
IBB3s4uwsYCT+M;787bEVxg/pE2pTTrEwOFlp+UQ2/k7YQL3zy5OvnrlDw=;u0ja
K+SNaR0sSYStsVjYWZ2oMzkEBg1xJzg6tcRYcOQFS7qXgOUPhNvUbCOXoV1TCjVn
7D3a8KdT6/Yh;chhQzGnWHntQW695xeZIhbRpp0A1+BG2WU0EHLLuOadh+0I=" |
ssh-vault view -k https://ssh-keys.online/key/4MaUemFjSPnrsdD

The goal is to streamline the sharing process by simplifying the copy-and-send operation. For instance, you can utilize pbcopy for this purpose

echo "secret" | ssh-vault create -u new | pbcopy

WARNING

It is important to know and understand that by using any 3rd party service for generating the public/private keys breaks the concept of privacy and security if possible they should be avoided

json

The output can be formatted using JSON, for example:

echo "secret" | ssh-vault create -u new -j

Output

{"vault":"SSH-VAULT;CHACHA20-POLY1305;SHA256:h/ld3IAsgdSiQXTawcEtQ9qGQAO82\nNaLA68FPZJKkNk;6Ji3stIkGFfrpmcSoa+Ua1dx3A9LEKPZa1N74UzxlRk=;7DqT\nYsPVqsGGTLwxsbj2YJguErl0gFxoIpmycT+/FBzmP/3sP0iygB74TkJhXA5eBNds\naNP+GgZcGBRL;b09P/DNqS3lPQoB6aXiRh5y7PkFWMsXfsj+keapbEOsyBwc=","private_key":"https://ssh-keys.online/key/A9nafD5DU7USveiAxfbSJzx4Fotn6rUsVFgC6dkVKanL"}

GitHub

ssh-vault was developed to address the necessity of securely sharing secrets with team members in a seamless and efficient manner. If your teammate (Alice in this example - https://github.com/alice.keys) already has a pair of SSH keys on GitHub, you can effortlessly share a secret by employing the following method:

echo "secret" | ssh-vault create -u alice

This will output:

SSH-VAULT;CHACHA20-POLY1305;SHA256:uXBBja4Vms3Z3uMUpuFke/nPM42I3
r6wlI7C/5pxyGQ;6cmpiA/rDr8aky92xWmA5C72E9HDVjaVul9R1vrHmy0=;z6Mf
rD+3cokFRcS4P0N8w6Kt9ULWyRaGWKuNSYhAzNhUiIp8nlSrPR6eDB5ockPyQe8Y
R91eCws7NrFi;irYAOjxM/QikkE5ugsrcQZfuQLK+jN5sBXFWzgDikoD+5gM=

TIP

You can also use Gitlab, just need to pass the full URL to the option -u:

echo "secret" | ssh-vault create -u https://gitlab.com/alice

After you share the vault (the output of the create command), Alice can open it using her private key, for example:

ssh-vault view /path/to/vault

-u https

If your keys are not in GitHub, you can still pass a valid URL, for example using Gitlab:

echo "secret" | ssh-vault create -u https://gitlab.com/alice

key

By default when creating a vault, the first public key found is used, you can use for example the second key using the option -k N in where N is the key index, for example to send a secret to Alice using its seconde key listed in https://github.com/alice.keys:

echo "secret" | ssh-vault create -u alice -k 2

fingerprint

If you don't know the key index, but know the fingerprint you can use it with:

echo "secret" | ssh-vault create -u alice -f SHA256:hJIUuRZ7IM1PklRyR2zFVrSE8IVvD6d5kfpAQTyapYg

In this case that fingerprint matches it second key

INFO

To get all the fingerprints of a specific user use:

ssh-vault fingerprint -u alice

Output

ID: 1 Type: ssh-ed25519 Comment:
      SHA256:uXBBja4Vms3Z3uMUpuFke/nPM42I3r6wlI7C/5pxyGQ

ID: 2 Type: ssh-ed25519 Comment:
      SHA256:hJIUuRZ7IM1PklRyR2zFVrSE8IVvD6d5kfpAQTyapYg

Editor (vi)

When creating a vault if no input or STDIN is defined it will open your editor defined in the environment variable EDITOR, defaults to vi if not set.

For example to use visual studio code you could use:

export EDITOR="code --wait"

-k /path/to/key

If you do not specify any user (option -u) ssh-vault will try to use first $HOME/.ssh/id_rsa.pub and next $HOME/ssh/id_ed25519.pub to create the vaults.

If you need to specify the path of a public key use the option -k, for example:

ssh-vault create -k ~/.ssh/id_ed25519_devops.pub

INFO

If using command fingerprint you get the fingerprint of the key:

ssh-vault fingerprint -k ~/.ssh/id_rsa_devops.pub

output:

id_rsa_devops.pub Type: ssh-rsa Comment: test
                  SHA256:12mLJQInCFoL9JOPJwPGb/FUEe459PY1yZEZqNGVZtA
                  MD5 55:cd:f2:7e:4c:0b:e5:a7:6e:6c:fc:6b:8e:58:9d:15

-k 1password

You can read the public key from 1password using the command op:

ssh create -k <(op read "op://Private/SSH - test/public key")

Create and view example:

echo "secret" | ssh-vault create -k <(op read "op://Private/SSH - test/public key") | ssh-vault view -k <(op read "op://Private/SSH - test/private key?ssh-format=openssh")

STDIN, --input

ssh-vault can read from standard input (stdin) when creating a vault.

Instead of creating a vault from scratch, a vault can be created by using an existing file, for example if Bob wants to send a file (txt, pdf, jpg) to Alice he could so something like:

ssh-vault create -u alice  < /path/to/file | pbcopy

If want to save the output:

ssh-vault create -u alice  < /path/to/file > alice.vault

Or also using writing inline using option --input -

ssh-vault create -u alice --input -
Hello world!

<Ctrl+D>

notice the endint -

TIP

Encrypt & decrypt:

date | ssh-vault create | ssh-vault view