mums

Simple encrypted enviroment variables

Inspired by ansible's vault but simpler and with fewer dependencies (though not as featureful), mums encrypts environment variables to a file that you can store in your repository. The only thing you have to keep a secret ("mum's the word") is the keyfile.

A keyfile can be any kind of textfile, its content is used as a (hashed) password. By default is uses ~/.ssh/id_rsa but that is not advisable in a team environment. Whatever it is though, don't store it in the repository.

Mums is written in python3, runs on *nixes and is licenced with the two-clause BSD license.

To install (assuming a virtual environment with python3 interpreter):

pip install mums

How to use it:

$ mkdir .mums
$ mums .mums/prod store DATABASE_URK "postgres://username:password@hostname:5432/dbname"
$ mums .mums/prod show
DATABASE_URK=postgres://username:password@hostname:5432/dbname
$ mums .mums/prod run -- env | grep DATABASE
DATABASE_URK=postgres://username:password@hostname:5432/dbname

I made a typo. Let's add the correct key:

$ mums .mums/prod store DATABASE_URL "postgres://username:password@hostname:5432/dbname"

Run a program with (decrypted) environment variables:

$ mums .mums/prod run -- env | grep DATABASE
DATABASE_URK=postgres://username:password@hostname:5432/dbname
DATABASE_URL=postgres://username:password@hostname:5432/dbname

Verify that is not in the environment by default:

$ env | grep DATABASE # shows no output

Let's remove that typo:

$ mums .mums/prod remove DATABASE_URK
$ mums .mums/prod show
DATABASE_URL=postgres://username:password@hostname:5432/dbname

To avoid typing too much I create little shell-scripts named after the environment, i.e. 'prod' (or 'dev'):

#!/usr/bin/env bash
if [ $# -eq 0 ]
   then
   echo "No arguments supplied";
   exit 1;
fi
mums .mums/prod run -- "$@"

Then prefix any command with the desired environment name

$ chmod 755 prod
$ ./prod env | grep DATABASE
DATABASE_URL=postgres://username:password@hostname:5432/dbname