ssh-vault will randomly create a password and use it for encrypting the contents of the vault using a symmetric cipher AES256, the password later will be encrypted using the ssh-rsa public key of the receiver.
This simplify the share of sensitive data across developers, teams, or either to store things on a public repository by just using ssh keys.
The option -u username will fetch the receiver ssh-rsa public from github:
$ ssh-vault -u https://gitlab.com/<user>.keys
This helps to create a vault very straight forward, since both the sender and receiver don’t need to exchange their keys before in order to share sensitive data, therefore this helps to work asynchronously
The current requirement for using the option
is to have an github.com account with a SSH key, more info here:
An Alice and Bob example could be the best way to undestand how ssh-vault works.
Creating a vault (encryption)
If Alice wants to send something to Bob, Alice will type in a terminal:
$ ssh-vault -u bob create vault.ssh
vault.ssh is the name of the file that will be created with the encrypted content, instead of vault you could use something like vault.txt, bob.txt, etc.
Alice know that Bob has an account in github.com therefore by using the option
-u bob, Alice gets Bob’s ssh-rsa public key
In case Alice want’s to use a different key, could do:
$ ssh-vault -k /path/to/bob/id_rsa.pub create vault.ssh
Edit/View a vault (decryption)
Bob can use his sha-rsa private key to decrypt the vault by doing:
$ ssh-vault view vault.ssh
He will be prompted for his ssh-key private password if required or if he wants to use another private key, he do something like:
$ ssh-vault -k ~/.ssh/id_rsa_other view vault.ssh
If Bob would like to send something back to Alice, he would do:
$ ssh-vault -u alice create vault.ssh
But if Alice has more than 2 keys and Bob would like to create a vault using the second key, this could be done:
$ ssh-vault -u alice -k 2 create vault.ssh
when using the option -u, the -k N option is used for specifying what key to use, in where N is the index of the list of available keys
In case a team needs to share a vault, the best way could be to share the pair of ssh keys (public/private) within the team members.