KeeShepherd
Keeps an eye on credentials (secrets, access keys, connection strings etc.), that are spread across numerous config files on your devbox(es). Gives you centralized access to them. Hides (masks) them whenever possible.
Now also comes with a UI for Azure Key Vault and GitHub Codespaces/Actions secrets.
TL;DR
- Quickly get secrets from various supported sources (see below).
- Remember where you left them.
- Mask/unmask and stash/unstash them.
- Create shortcuts to them, for quick access.
- Mount them as Environment Variables.
- Manage your Azure Key Vault and GitHub Codespaces/Actions secrets from within VsCode.
Features
Insert/add, stash/unstash, mask/unmask, resolve
To put a secret under KeeShepherd's control, you can either insert it into your text file via KeeShepherd:
or select an existing secret in the text editor and add it to KeeShepherd:
Insert operation lets you pick up a secret from Azure Key Vault or directly from an Azure resource (Azure Storage, Azure Service Bus, Azure Cosmos DB etc.).
Add operation will suggest to put the selected value into Azure Key Vault.
Once a secret is added or inserted, KeeShepherd will remember its exact position and proceed with keeping track of it.
Three types of secrets are supported:
Supervised. This is a lightweight form of it, just to remember where you left this secret value and to let you navigate back to it at any moment. Your actual config files are left intact.
Managed aka stashable. These secrets you can stash/unstash:
When a secret is stashed, KeeShepherd replaces its value with an anchor like @KeeShepherd(<secret-name>). Unstashing does the opposite (the secret value is taken from wherever it is actually stored, e.g. from Azure Key Vault).
Stashing/unstashing does modifies your files, since this is the whole point of it.
KeeShepherd can automatically stash all secrets in a workspace when it is closed and automatically unstash them when a workspace is opened. Default mode is to automatically stash, but do not automatically unstash. You can configure this via Settings (see below).
When unstashing, KeeShepherd will install a Git Hook, that prevents your secret values from being accidentally committed. When stashing back, these hooks will be removed. This allows you to commit your config files with stashed secrets in them and not be afraid of accidentally committing their unstashed values.
Secret Shortcuts. These can be organized into folders, mounted into terminal windows and/or installed as global environment variables. See more details on this below.
It's perfectly fine to mix both supervised and managed secrets in the same config file. A good strategy could be to mark real secrets (access keys, connection strings etc.) as managed (to keep them safe) and leave less important values like user names, application ids etc. as supervised (to make it easy to find them later).
KeeShepherd always tries its best to mask (hide) your secret values whenever possible, so that they never get accidentally exposed during a demo or a video call.
You can always mask/unmask them yourself:
A good idea would be to set some keyboard shortcuts of your choice to these mask/unmask commands.
On a fresh new devbox you can also quickly restore all your secrets with Resolve Managed Secrets command:
It will collect all @KeeShepherd(secret-name) anchors in a file and try to match those secrets by name. If a secret with that name exists in the metadata storage, then a copy of it will be created for the current file. Then you can do a normal unstash process to get the actual secret values.
User interface and clients to various secret sources
KeeShepherd comes with its own view container, where its various views are organized by default:
Those views are:
- MANAGED/SUPERVISED SECRETS shows all your supervised and managed secrets and the files containing them. Provides an overview of all your local secret usages and allows to quickly navigate back to them.
- AZURE KEY VAULT SECRETS/CERTIFICATES is a client for Azure Key Vault. Shows all Key Vault instances accessible to you, allows to quickly get secret/certificate values and versions, and to create/remove (soft-delete) secrets. Certificates appear along with secrets, copying a certificate value gives you a BASE64-encoded string of it.
- GITHUB SECRETS is a client for GitHub Codespaces and Actions secrets. Shows existing secrets, allows to create/update/remove them. Codespaces secret values are only accessible on their respective Codespaces instances, Actions secret values are not accessible (you can only create/update them, but not read them).
- VSCODE SECRET STORAGE is a user interface for those secrets stored in VsCode Secret Storage (which in turn is an API to local OS-specific secret vaults). Provides a secure way to store secret values locally on a devbox, allows to create/read/update/remove them.
- SECRET SHORTCUTS allows you to create/manage links (shortcuts) to your most frequently used secrets. See more details on this below.
Use Secret Shortcuts
Secret Shortcuts give you quick access to your most frequently used secrets. They can be organized in folders, with one default folder pre-existing:
Secret shortcuts can be mounted as global environment variables:
On Windows this option adds the secret and its value into HKEY_CURRENT_USER\Environment registry key. On other platforms a command for setting that variable value is added into $HOME/.bashrc script.
For a given Secret Shortcut Folder you can open a custom terminal window, with all those secret values mounted as environment variables:
At first run KeeShepherd will ask you where to store secret's metadata:
Two options are currently supported:
- Locally, as JSON files in VsCode's global storage folder (
C:\Users\user-name\AppData\Roaming\Code\User\globalStorage\kee-shepherd.kee-shepherd-vscode on Windows).
- In a shared Azure Table. Works slower and requires internet connectivity, but lets you oversee your (and your teammate's) secrets on other machines. Especially useful with GitHub Codespaces (yes, KeeShepherd works in GitHub Codespaces as well).
You can always change the storage type later on with Switch to Another Metadata Storage command:
IMPORTANT: KeeShepherd does not store your actual secret values, only links to them and cryptographically strong salted SHA256 hashes of them (plus secret lengths and positions in files). Yet still, even this information might be somewhat useful for a potential attacker, so please make sure that secret metadata never gets leaked.
Supported Secret Sources
Requirements
For most features to work you need to have Azure Account extension installed and be signed in into Azure.
For GitHub secrets you need to have GitHub extension installed and be signed in into GitHub. On a GitHub Codespaces instance this happens automatically.
Extension Settings
You can configure whether KeeShepherd should automatically stash/unstash secrets in a workspace, when you open/close it:
Automatic stashing/unstashing is the most secure option: your actual secret values will only be present in your config files while you're actually working with a project (aka while a VsCode instance is running).
Known Issues
- Only UTF8-encoded files are supported. If your config file was saved with a different encoding and you have some managed secrets in it, the file is likely to be broken during stashing/unstashing.
- Masking does not (yet) work instantly, when you open a file. Secret values might be visible for a fraction of a second. Important to remember this when making a recorded video session. A safer option would be to keep them stashed and unstash on demand.
- In some cases KeeShepherd need to tediously calculate SHA256 hashes at each position in a file. This can take time, if a file is long enough (> 30K symbols). So a good idea is to keep your config files small.
