How it works

ssh-vault will randomly create a password and use it for encrypting the contents of the vault using a symmetric cipher AES256, the password later will be encrypted using the ssh-rsa public key of the receiver.


This simplify the share of sensitive data across developers, teams, or either to store things on a public repository by just using ssh keys.

The option -u username will fetch the receiver ssh-rsa public from github:<username>.keys

Using -u:

$ ssh-vault -u<user>.keys

This helps to create a vault very straight forward, since both the sender and receiver don’t need to exchange their keys before in order to share sensitive data, therefore this helps to work asynchronously

The current requirement for using the option -u <username> is to have an account with a SSH key, more info here:

An Alice and Bob example could be the best way to undestand how ssh-vault works.

Creating a vault (encryption)


If Alice wants to send something to Bob, Alice will type in a terminal:

$ ssh-vault -u bob create vault.ssh

vault.ssh is the name of the file that will be created with the encrypted content, instead of vault you could use something like vault.txt, bob.txt, etc.

Alice know that Bob has an account in therefore by using the option -u bob, Alice gets Bob’s ssh-rsa public key

In case Alice want’s to use a different key, could do:

$ ssh-vault -k /path/to/bob/ create vault.ssh

Edit/View a vault (decryption)

Bob can use his sha-rsa private key to decrypt the vault by doing:

$ ssh-vault view vault.ssh

He will be prompted for his ssh-key private password if required or if he wants to use another private key, he do something like:

$ ssh-vault -k ~/.ssh/id_rsa_other view vault.ssh

If Bob would like to send something back to Alice, he would do:

$ ssh-vault -u alice create vault.ssh

But if Alice has more than 2 keys and Bob would like to create a vault using the second key, this could be done:

$ ssh-vault -u alice -k 2 create vault.ssh

when using the option -u, the -k N option is used for specifying what key to use, in where N is the index of the list of available keys

Shared vault

In case a team needs to share a vault, the best way could be to share the pair of ssh keys (public/private) within the team members.

comments powered by Disqus