KeeShepherd

Keeps an eye on credentials (secrets, access keys, connection strings etc.), that are spread across numerous config files on your devbox(es). Gives you centralized access to them. Hides (masks) them whenever possible.

Now also omes with a simple UI for Azure Key Vault secrets.

Features

Insert/add, stash/unstash, mask/unmask, resolve

To put a secret under KeeShepherd's control, you can either insert it via KeeShepherd:

, select an existing secret in the text editor and add it to KeeShepherd:

or register it as an environment variable:

Insert operation lets you pick up a secret from Azure Key Vault or directly from an Azure resource (Azure Storage, Azure Service Bus, Azure Cosmos DB etc.).

Add operation will suggest to put the selected value into Azure Key Vault.

Once a secret is added or inserted, KeeShepherd will remember its exact position and proceed with keeping track of it.

Three types of secrets are supported:

• Supervised. This is a lightweight form of it, just to remember where you left this secret value and to let you navigate back to it at any moment. Your actual config files are left intact.

• Managed aka stashable. These secrets you can stash/unstash:

  

  When a secret is stashed, KeeShepherd replaces its value with an anchor like @KeeShepherd(<secret-name>). Unstashing does the opposite (the secret value is taken from wherever it is actually stored, e.g. from Azure Key Vault).

  Stashing/unstashing does modifies your files, since this is the whole point of it. KeeShepherd can automatically stash all secrets in a workspace when it is closed and automatically unstash them when a workspace is opened. Default mode is to automatically stash, but do not automatically unstash. You can configure this via Settings (see below).

  When unstashing, KeeShepherd will install a Git Hook, that prevents your secret values from being accidentally committed. When stashing back, these hooks will be removed. This allows you to commit your config files with stashed secrets in them and not be afraid of accidentally committing their unstashed values.

• Environment Variables. These can be mounted into terminal windows and/or installed as global environment variables. See more details on this below.

It's perfectly fine to mix both supervised and managed secrets in the same config file. A good strategy could be to mark real secrets (access keys, connection strings etc.) as managed (to keep them safe) and leave less important values like user names, application ids etc. as supervised (to make it easy to find them later).

KeeShepherd always tries its best to mask (hide) your secret values whenever possible, so that they never get accidentally exposed during a demo or a video call. You can always mask/unmask them yourself:

A good idea would be to set some keyboard shortcuts of your choice to these mask/unmask commands.

On a fresh new devbox you can also quickly restore all your secrets with Resolve Managed Secrets command:

It will collect all @KeeShepherd(secret-name) anchors in a file and try to match those secrets by name. If a secret with that name exists in the metadata storage, then a copy of it will be created for the current file. Then you can do a normal unstash process to get the actual secret values.

Use secrets as environment variables

To add a secret as an environment variable either use the KeeShepherd: Register Secret as an Environment Variable command or use context menu on the 'Environment Variables' tree node:

Once you have a list of environment variables configured, you can then:

• Open a Terminal (shell) window with those environment variables and their values mounted to it:

  

• Mount them as global environment variables:

  

  On Windows this option adds the secret and its value into HKEY_CURRENT_USER\Environment registry key.

  On other platforms a command for setting that variable value is added into $HOME/.bashrc script.

Configure and use secret metadata storage

At first run KeeShepherd will ask you where to store secret's metadata:

Two options are currently supported:

• Locally, as JSON files in VsCode's global storage folder (C:\Users\user-name\AppData\Roaming\Code\User\globalStorage\kee-shepherd.kee-shepherd-vscode on Windows).
• In a shared Azure Table. Works slower and requires internet connectivity, but lets you oversee your (and your teammate's) secrets on other machines. Especially useful with GitHub Codespaces (yes, KeeShepherd works in GitHub Codespaces as well).

You can always change the storage type later on with Switch to Another Metadata Storage command:

IMPORTANT: KeeShepherd does not store your actual secret values, only links to them and cryptographically strong salted SHA256 hashes of them (plus secret lengths and positions in files). Yet still, even this information might be somewhat useful for a potential attacker, so please make sure that secret metadata never gets leaked.

You can see, navigate to and manage all your secrets via SECRETS view that appears on the EXPLORER tab:

View, create, remove and use Azure Key Vault secrets

Once signed in into Azure, a KEY VAULT (VIA KEESHEPHERD) view should appear on the AZURE tab:

, which shows all accessible secrets in all accessible Key Vaults in all visible subscriptions.

You can add and remove ("soft-delete") secrets, and for each secret you can get its value or insert it as Managed to the current text cursor position.

Requirements

For most features to work you need to have Azure Account extension installed and be signed in into Azure.

Extension Settings

You can configure whether KeeShepherd should automatically stash/unstash secrets in a workspace, when you open/close it:

Automatic stashing/unstashing is the most secure option: your actual secret values will only be present in your config files while you're actually working with a project (aka while a VsCode instance is running).

Known Issues

• Only UTF8-encoded files are supported. If your config file was saved with a different encoding and you have some managed secrets in it, the file is likely to be broken during stashing/unstashing.
• Masking does not (yet) work instantly, when you open a file. Secret values might be visible for a fraction of a second. Important to remember this when making a recorded video session. A safer option would be to keep them stashed and unstash on demand.
• In some cases KeeShepherd need to tediously calculate SHA256 hashes at each position in a file. This can take time, if a file is long enough (> 30K symbols). So a good idea is to keep your config files small.