!!! ACHTUNG !!!
GPT-wibecoded concept
Hands off production! (β¦for now)
cage is a lightweight, transparent secret manager that encrypts files using your existing SSH Ed25519 keys and the modern age encryption scheme.
π‘ Philosophy: simple, auditable, and secure by default β just secrets under your SSH control.
- π Strong crypto β X25519 + ChaCha20-Poly1305 via
age - πͺΆ Uses your SSH keys β no new key infrastructure or GPG mess
- 𧩠Declarative config β
.cage.yamldefines environments and recipients - β‘ One blob per file β no ciphertext duplication across recipients
- 𧱠Git-friendly β deterministic YAML output, safe to commit
- π§° Simple CLI
cage encryptβ encrypt listed filescage decryptβ decrypt all.cagefiles for your SSH keycage dump <env>β stream decrypted environment files to stdout
- π§βπ» CI/CD ready β ideal for self-hosted, GitOps, and minimal workflows
# Encrypt secrets for all environments
cage encrypt
# Decrypt locally with your SSH key
cage decrypt
# Export merged plaintext for CI
cage dump dev-local > .envrecipients:
john:
- ssh-ed25519 AAAAC3Nza... easy@peasy
- ssh-ed25519 AAAAC3Nza... bob@alice
june:
- ssh-ed25519 AAAAC3Nza... hello@kitty
envs:
prod:
files:
- s3.prod.env
- telegram-bot.env
recipients:
- john
dev-local:
files:
- s3.mino.env
recipients:
- john
- junecipher:
payload: <base64 of age ciphertext>
recipients:
- ssh-ed25519 AAAAC3Nza... hello@kitty
- ssh-ed25519 AAAAC3Nza... bob@alice
- ssh-ed25519 AAAAC3Nza... easy@peasy