Managing Secrets via Amber

data protection

Maintaining a secret in the open source world is quite tough. Amber provides a simple and authenticated solution for protecting data as ‘secrets’ while also enabling access to it, as and when needed. This article gives a demo of this, by using Git along with Amber.

Amber is a secret management solution based on public key cryptography. Systems that use Amber allow any member in a team to add or update secrets. Only the person who has the private or secret key has the ability to decrypt this secret, making it pretty useful in the following scenarios:

  • Usage in continuous integration (CI) systems like GitHub actions, GitLab, Bitbucket pipelines, etc.
  • Development teams that comprise multiple sub-teams where individual members might have to add secrets without getting hold of the central secret key.

There are various alternatives with different features in the open source world that solve the same problem. Some of these are: SOPs, credstash, sealed-secrets, Vault and cryptic.

What makes Amber different from them is the simplicity it offers. It neither has complex configuration, nor does it depend on any external dependencies like GPG. The entire program is available as a single binary code and uses sodiumoxide for the public key encryption.

When a program like Git is used with Amber, the entire history of when a secret was added, modified and used can be known.

The executables can be downloaded from the GitHub repository page: Amber is also currently available as an arch user repository (AUR) package in Arch Linux and NixOS. As time progresses, it should be available in other distributions too.

The ‘–help’ flag is pretty self-explanatory, as can be seen in the code below:

> amber --help
amber 0.1.1

Utility to store encrypted secrets in version trackable plain text files


-h, --help        Prints help information
--unmasked    Disable masking of secret values during exec
-v, --verbose     Turn on verbose output
-V, --version     Prints version information

    --amber-yaml <amber-yaml>    amber.yaml file location [env: AMBER_YAML=] [default:
    encrypt: Add or update a secret
    exec: Run a command with all of the secrets set as environment variables
    generate: Generate a new strong secret value, and add it to the repository
    help: Prints this message or the help of the given subcommand(s)
    init: Initialize a new directory
    print: Print all of the secrets
    remove: Remove a secret

Next, let’s create a Git repository to show a demo of how to use Amber:

> mkdir amber-demo
> cd amber-demo/
> git init

Initialized empty Git repository in /home/sibi/github/amber-demo/.git/

Let us now initialise ‘amber’ to get a secret key:

> amber init
Your secret key is: 4a3f13b65fff6d575cbd4acba30861b5b5e f992a24548f314936453cbad9dccc
Please save this key immediately! If you lose it, you will lose access to your secrets.
Recommendation: keep it in a password manager
If you’re using this for CI, please update your CI configuration with a secret environment variable
export AMBER_SECRET=4a3f13b65fff6d575cbd4acba30861b5b5ef992 a24548f314936453cbad9dccc

It is better to save this key in a password manager. If you are planning to integrate it in the CI systems like GitHub, the above variable has to be added using their Web interface. Since this demo is being shown in the command line interface (CLI), we will just export it in our current shell session:

> export AMBER_SECRET=4a3f13b65fff6d575cbd4acba30861b5b5ef992a24548f314936453cbad9dccc

The environment variable ‘AMBER_YAML’ can be used to specify the custom location ‘amber.yaml’ where the encrypted secret file will be stored. Its default value is ‘amber.yaml’.

Let us now create a secret value. The name of the secret variable will be ‘SECRET_VAR1’, and it will hold ‘hello’ as its secret value.

> amber encrypt SECRET_VAR1 hello

This is all that was needed. If the file ‘amber.yaml’ is looked at now, a change in the content can be noticed:

> cat amber.yaml
file_format_version: 1
public_key: 5a9f77901faa095dd500bbe1dc2ed25e20ba7c1310f835 fd6be2b6692877441d
  - name: SECRET_VAR1
    sha256: 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e 5c1fa7425e73043362938b9824
    cipher: dd5135acae1c180b416514726208e113a7dd0976ec75b4ca8bc5 69654af7d9367e5e3c36eec06ffeedd736413ae0c1fca02f8cb7ad

The secret value can also be printed using the following code:

> amber print
export SECRET_VAR1=”hello”

If you try to print the secret value without the ‘AMBER_SECRET’ environment variable, it will result in an error, as expected:

> amber print
Error: Error loading secret key from environment variable AMBER_SECRET

Caused by:
environment variable not found

This is because you need ‘AMBER_SECRET’ to decrypt the value.

There are various other sub-commands provided by Amber, which can be looked up and experimented with using the ‘–help’ command. The ‘exec’ is quite handy to propagate secrets as environment variables. (Make sure to export the ‘AMBER_SECRET’ environment variable before you run the command). Using the ‘exec’ sub-command, we can print the secret variable:

> amber exec printenv SECRET_VAR1

You can see that while printing the secret value, the code masks it automatically.
You can experiment with other sub-commands too, to explore Amber’s functionality. Amber can be really helpful when you need simple solutions for managing secrets.


Please enter your comment!
Please enter your name here