Unleash the Power of Rot
Secure Secrets Management for the Modern Sysadmin
Bulletproof Encryption
Generate keys and values using the latest and greatest encryption standards. Sleep soundly knowing your secrets are safe.
Version Control for Secrets
Track changes and revert to previous versions with ease. No more scrambling to remember what went wrong.
Unbreakable Sharing
Securely share secrets among your team. No single point of failure, just peace of mind.
Future-Proof Encryption
Rekey your encrypted values to the latest standards with minimal effort. Your secrets stay safe, even as technology evolves.
Effortless Collaboration
Share secrets securely within your team and control access with granular permissions.
# Initialize rot.jsonnet and a key for Alice
$ rot init mykeyring alice
New Password (empty string skips PBKDF):
Confirm Password (empty string skips PBKDF):
# Add Bob's public key
$ rot key-add-pub bob ed25519public:MCowBQYDK2VwAyEAAYkJzjQGb+4I7bfcaq6TnkI6nWJXolUdYSQDKSZIDZU=:bob
# Grant Bob access to our Keyring
$ rot key-add-prv bob mykeyring
Keep It Safe, and Versioned
Values are added with zero-knowledge of the encryption key, and versioned by timestamp
# Add a Value
$ rot val-add mykeyring/prd/database/secret database=backend1
Value:
# Replace it
$ rot val-add mykeyring/prd/database/secret database=backend2
Value:
# List the Values
$ rot val-lst mykeyring
{
"mykeyring/prd/database/secret": [
"2024-04-26T12:32:44Z",
"2024-04-26T10:32:52Z"
]
}
# View it--need access to decrypt!
$ rot val-dis mykeyring/prd/database/secret
Password for alice:
{
"meta": {
"database": "backend2"
},
"modified": "2024-04-26T12:32:44Z",
"value": "hunter2"
}
Convert Everything
Manage all kinds of cryptographic keys: PEM, SSH, X509, JWT, and more
# Generate a public/private keypair
$ rot key-new
{
"privateKey": "ed25519private:MC4CAQAwBQYDK2VwBCIEIHZm1QM2sOFMWwJpmSptFkb2KsndJzebZZ8V8ogaMB9z:q5cnabsnVa",
"publicKey": "ed25519public:MCowBQYDK2VwAyEAYes5wEXIHi1qaQNCNRKbqcgi3qQ07QAbSx2e7LgOhVo=:q5cnabsnVa"
}
# Convert it to PEM
$ rot pem ed25519public:MCowBQYDK2VwAyEAYes5wEXIHi1qaQNCNRKbqcgi3qQ07QAbSx2e7LgOhVo=:q5cnabsnVa
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAYes5wEXIHi1qaQNCNRKbqcgi3qQ07QAbSx2e7LgOhVo=
-----END PUBLIC KEY-----
# Convert it to SSH
$ rot ssh-dis ed25519public:MCowBQYDK2VwAyEAYes5wEXIHi1qaQNCNRKbqcgi3qQ07QAbSx2e7LgOhVo=:q5cnabsnVa
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHrOcBFyB4tamkDQjUSm6nIIt6kNO0AG0sdnuy4DoVa
# Generate an X.509 CA
$ rot x509-new -c -n "My CA" ed25519private:MC4CAQAwBQYDK2VwBCIEIHZm1QM2sOFMWwJpmSptFkb2KsndJzebZZ8V8ogaMB9z:q5cnabsnVa ed25519public:MCowBQYDK2VwAyEAYes5wEXIHi1qaQNCNRKbqcgi3qQ07QAbSx2e7LgOhVo=:q5cnabsnVa | rot x509-dis -
...
"CommonName": "My CA",
"IsCA": true,