AxKeyStore: Secure Secret Management with GitHub Backing

What is AxKeyStore?

AxKeyStore is a robust, open-source Command-Line Interface (CLI) tool engineered for developers and security-conscious users who need a reliable way to store and manage sensitive credentials, keys, and passwords. Its core innovation lies in leveraging your existing private GitHub repository as the backend storage mechanism. This approach provides the benefits of cloud storage—accessibility, version control, and reliability—without sacrificing security, as GitHub is treated strictly as untrusted storage.

Crucially, AxKeyStore operates on a principle of absolute client-side encryption. Every piece of sensitive data, including the secrets themselves and the keys used to encrypt them, is processed entirely on your local machine before transmission. Consequently, no plain-text secrets, master keys, or passwords ever traverse the network or reside unencrypted on the remote server or local filesystem. This Zero Trust architecture ensures that only you, possessing the correct Master Password, can decrypt and access your vault data.

Key Features

• Zero Trust Architecture: Built on the principle that all external systems, including GitHub, are untrusted. Encryption is mandatory and multi-layered.
• Three-Layer Encryption Scheme:
  • Secrets Encryption: Secrets are encrypted using the Remote Master Key (RMK).
  • RMK Encryption: The RMK is encrypted using your Master Password (via client-side encryption).
  • Local Credential Encryption: Local configuration details (like the GitHub token and repo name) are secured using a Local Master Key (LMK), which is also protected by your Master Password.
• Advanced Cryptography: Utilizes modern, secure algorithms including XChaCha20-Poly1305 for authenticated encryption and Argon2id for robust key derivation from your Master Password.
• GitHub as Backend Storage: Leverages free, versioned, and reliable storage provided by any private GitHub repository you control.
• Multi-Profile Support: Easily manage several distinct vaults, each with unique logins, Master Passwords, and associated GitHub repositories.
• Hierarchical Organization: Secrets can be organized logically using category paths (e.g., api/production/internal), enhancing discoverability and management.
• Unified Authentication: Securely authenticates access using GitHub Apps and the Device Flow mechanism.

How to Use AxKeyStore

Getting started with AxKeyStore involves a straightforward installation followed by an initial login and setup process. The tool is designed for ease of use once configured.

1. Installation: Install the CLI tool using the provided platform-specific scripts:

• macOS/Linux: curl -sSL https://raw.githubusercontent.com/basilgregory/axkeystore/main/install.sh | bash
• Windows (PowerShell): powershell -c "irm https://raw.githubusercontent.com/basilgregory/axkeystore/main/install.ps1 | iex" These scripts automatically place the binary in your PATH for immediate access.

2. Initial Login and Setup: Execute the login command to initiate the setup sequence: axkeystore login During this first run, you will be prompted to create and confirm your Master Password. This password is the ultimate key to decrypting your vault and securing your local configuration. Following the password setup, the CLI will guide you through installing the necessary GitHub Application on your account or organization, granting AxKeyStore the required permissions to read/write to your designated private repository.

3. Managing Secrets: Once logged in and configured, you can use simple commands to store and retrieve credentials. For example, storing a new secret might involve specifying the category and key name, while retrieval uses the corresponding command, ensuring the data is decrypted only locally after fetching the encrypted blob from GitHub.

Use Cases

1. Securing CI/CD Pipeline Secrets: Developers can store sensitive API keys, deployment tokens, and environment variables required for automated builds and deployments in their private AxKeyStore vault, ensuring these secrets are never hardcoded or exposed in configuration files checked into source control.
2. Managing Personal Developer Credentials: Individual developers can centralize all their SSH keys, cloud provider access keys (AWS, Azure, GCP), and database passwords. By using their GitHub repo, they gain version history on credential rotation events.
3. Cross-Platform Development Environments: Since the storage is cloud-based (GitHub) and the tool is CLI-driven, users can seamlessly switch between their local machine, a development server, or a temporary workstation, securely accessing their required secrets after performing the initial login/setup.
4. Small Team Credential Sharing (Controlled): While primarily designed for individual security, teams can utilize a shared, dedicated private repository for basic, non-production credential sharing, relying on the shared Master Password knowledge (though individual management is recommended for maximum security).

FAQ

Q: What happens if I forget my Master Password? A: Since AxKeyStore uses a robust, client-side, multi-layer encryption scheme secured by your Master Password, forgetting it means the data is permanently inaccessible. There is no recovery mechanism, adhering strictly to the Zero Trust security model.

Q: Is my data truly safe if GitHub is the storage location? A: Yes. GitHub only stores encrypted binary blobs. Even if GitHub were compromised, the attackers would only retrieve encrypted data, as the decryption keys (RMK and LMK) are protected by your Master Password and never leave your local machine unencrypted.

Q: Can I use a public repository for storage? A: No. AxKeyStore explicitly requires a private GitHub repository. Using a public repository would expose all your encrypted secrets to the world, defeating the purpose of the security architecture.

Q: How does AxKeyStore handle authentication and authorization? A: It uses a dedicated GitHub Application which you must install. This application facilitates secure authentication via the Device Flow and grants the CLI necessary permissions (read/write) only to the specific repository designated as your vault.

Q: Does this tool cost money? A: AxKeyStore is an open-source project released under the MIT License. The tool itself is free to use. However, utilizing GitHub for storage requires you to have a GitHub account, which offers free private repositories.