Show HN: Confcrypt – Encrypt Secrets in YAML/JSON Configs with FIDO2/Age/SSH
github.comI built confcrypt to encrypt sensitive values in config files – hostnames, usernames, URLs stay readable.
Makes reviewing configs and debugging much easier than tools that encrypt everything.
Think sops, but simpler.
Multiple key types as recipients:
- Native age keys (X25519)
- SSH keys (ed25519, RSA) – use your existing keys
- FIDO2 devices (YubiKey 5, SoloKey, etc.) via hmac-secret
- YubiKey OTP via HMAC challenge-response
Hardware keys derive the private key on-demand with a touch – never stored on disk.
How it works:
- Pattern-based: only keys matching /password$/, /api_key$/, etc. (configurable) get encrypted
- Values encrypted with AES-256-GCM, key wrapped per recipient
- `confcrypt check` for CI – exits 1 if unencrypted secrets found
No comments yet.