Secure Your Secrets the Ancient Way: Ostrakon - A Zero-Knowledge, Git-Backed CLI Secret Manager

PapaDanielVi — Wed, 03 Jun 2026 07:18:54 +0000

In an era of data breaches and over-reliance on third-party password managers, many developers are looking for true control over their secrets. What if you could store all your API keys, database credentials, and sensitive configs in a simple private Git repository, fully encrypted on your own machine, with zero plain text ever touching the cloud?

Meet Ostrakon, a lightweight, powerful, open-source CLI tool that transforms any private GitHub or GitLab repo into your personal encrypted secrets vault.

Why "Ostrakon"?

The name comes from ancient Athens, where ostraka (pottery shards) were used for everyday notes, receipts, and secret ballots. Simple, durable, and private. Modern Ostrakon brings that same spirit to secret management.

The Core Philosophy

Unlike most tools, Ostrakon follows a strict client-side only encryption model:

Nothing is ever stored in plain text — not on disk, not in Git.
All encryption and decryption happens locally on your machine.
Zero-knowledge: Even if your Git repository is completely leaked or compromised, attackers get only encrypted blobs. Without your master password, the data is useless.
Portable: Remember your master password and you can access your entire vault from any computer in the world.

How Ostrakon Compares to Other Tools

Tool	Storage	Encryption Location	Zero-Knowledge	Git Native	Cost	Best For
Ostrakon	Private Git repo	Client-side only	Yes	Yes	Free	Developers, power users
1Password	Cloud (or local sync)	Cloud + local	No	No	Paid	Teams & families
Bitwarden	Cloud (self-host option)	Server-side	Partial	No	Freemium	General password management
pass / gopass	Git repo	Client-side	Yes	Yes	Free	Simple GPG-based use
HashiCorp Vault	Dedicated server	Server-side	No	No	Free/Paid	Large teams & enterprises

Ostrakon stands out because it combines the portability of Git with rock-solid client-side encryption (Argon2id + AES-256-GCM), without the complexity of managing GPG keys like pass.

Key Features

Full client-side encryption using industry-standard algorithms
Support for GitHub and GitLab
Profiles/namespaces for organizing secrets (dev, staging, prod)
Secure run command to inject secrets into scripts
Smart keyring integration (convenience on writes, strict prompting on reads)
Cross-platform (macOS, Linux, Windows)

Installation

# macOS - Homebrew
brew tap PapaDanielVi/homebrew-tap
brew install ostrakon

# Go users
go install github.com/PapaDanielVi/ostrakon@latest

Quick Start & Examples

1. Initialize your vault

ostrakon init

You'll be prompted for:

Your private repo URL
GitHub/GitLab token (fine-grained recommended)
Strong master password

2. Adding Secrets

# Interactive
ostrakon add DATABASE_URL

# Pipe from command (great for scripts)
echo "sk-1234567890abcdef" | ostrakon add openai-api-key

# Add with profile
echo "prod-value" | ostrakon add API_KEY -p production

# Add a personal file
ostrakon add ~/.bashrc
ostrakon add .env

3. Listing & Retrieving

# List all secrets
ostrakon ls

# List in specific profile
ostrakon ls -p production

# Get a secret (always prompts for master password)
ostrakon get DATABASE_URL

# Write a secret (always prompts for master password)
ostrakon write DATABASE_URL -o db_url.txt

4. Editing & Secure Deletion

# Edit in your default editor ($EDITOR)
ostrakon edit API_KEY

# Securely delete (overwrites before removal)
ostrakon shred old-secret

5. Running Scripts with Secrets

This is one of the most powerful features:

# Run a deployment script with injected secrets
ostrakon run ./deploy.sh \
  -e AWS_ACCESS_KEY_ID \
  -e AWS_SECRET_ACCESS_KEY \
  -e DATABASE_PASSWORD

The script gets the secrets as environment variables — decrypted only in memory for the duration of the run.

6. Working Across Machines

Just install Ostrakon on a new laptop, run ostrakon init with the same repo, and use your master password. All your secrets are instantly available — no export/import hassle.

Security Deep Dive

Encryption: Argon2id (memory-hard, resistant to brute force) + AES-256-GCM
Read Security: Master password is always required for get, run, edit, and ls operations
Write Convenience: Optional OS keyring storage for the master password (can be disabled)
Repo Leak Protection: Even full access to the Git repo gives zero readable information
No telemetry, no cloud dependency beyond your own Git storage

Who Should Use Ostrakon?

Solo developers and small teams who want full control
Security-conscious users tired of trusting cloud providers
Anyone who already uses private Git repos and wants a cleaner alternative to .env files
Engineers who value portability and dislike vendor lock-in

Get Started Today

Ostrakon is actively developed, open source (MIT license), and built with love for better developer security tools.

👉 Repository: github.com/PapaDanielVi/ostrakon

If you find it useful, please star the repo — it really helps small open-source projects gain visibility!

Have feedback or feature requests? Contributions are warmly welcome.

Built for developers, by a developer.

DEV Community: PapaDanielVi