How to backup your secrets with Keystone

Keystone stores your secrets the least amount of time possible. Default is 7 days. Your secrets are stored as a single message per recipient per environment, removal happens when:

  • the recipient has successfully fetched the last secrets
  • the time-to-live has expired which is 7 days by default

From a security standpoint, it’s nice as the secrets lives in the system just the time needed for the exchange.

But it means Keystone is not (and will never be) a backup service for storing your secrets. You will need to handle the backup on your own.

Fortunately, a hook is available each time secrets are fetched by the Keystone CLI.

It’s a neat way to handle backups each time you sync a project.

To do so, use the command ks hook add <path-to-your-executable>.

Your executable will receive the project UUID and the path to the .keystone folder as parameters.

Below a bash script example creating encrypted backups to a Dropbox folder.

# Backup secrets managed with Keystone in a Dropbox folder


current_user="$(ks whoami)"

# check that we are logged in
if [ $status -eq 0 ]; then
    echo "Logged as $current_user, creating backup..."
    cd "$project_path" || exit
    # create encrypted keystone backup
    backup_path=$(ks backup --short -p "<password_for_encryption")
    # check if the project folder exist
    # and create it otherwise
    target_folder="$BACKUP_ROOT_FOLDER/$project_name - $project_id"
    if [ ! -d "$target_folder" ]; then
        mkdir "$target_folder"

    echo "Moving backup to $target_folder"
    mv "$backup_path" "$target_folder"
    echo "You need to be logged in in order to create a Keystone backup."

How to manage hooks?

You can check if you have an active hook with the command ks hook. You can remove one with ks hook rm.

Edit this page on GitHub