𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍

Shamelessly shilling my OSS project, rook. It provides a secret-server-ish headless tool backed by a KeePass DB.

• Headless server
• Optional and convenient integration with the kernel keyring (on Linux), for locking the server to only provide secrets to the user’s session
• Provides a range of search, list, and get commands
• Minimal dependencies and small code base make rook reasonably auditable

You might be interested in rook if you’re a KeePassXC user. Why might you want this instead of:

• Gnome secret-server, KDEs wallet, or pass? rook uses your (a) KeePass DB, while most other projects store secrets in their own DBs and require (usually manual) sync’ing when passwords change.
• One of the browser secret storage? Those also keep a bespoke DB which needs to be synced, and they’re limited to browser use. Rook supports using secrets in cron jobs or on the command line (e.g. mbsync, vdirsyncer, msmtp, etc, etc).
• KeePassXC? KeePassXC does provide a secret service that mocks Gnome secret-service, but you have to keep KeePassXC (a GUI app) running even if you only rarely use the UI. Rook can also be used on a headless machine.
• The KeePassXC command line tool? That requires entering the password for every request, making it tedious to use and impractical for automated, periodic jobs.

Rook is read-only, and intended to be complementary to KeePassXC. The KeePassXC command line tools are just fine for editing, where providing a password for every action is acceptable, and of course the GUI is quite nice for CRUD.