In an era of data breaches and over-reliance on third-party password managers, many developers are looking for true control over their secrets. What if you could store all your API keys, database credentials, and sensitive configs in a simple private Git repository, fully encrypted on your own machine, with zero plain text ever touching the cloud?
Meet Ostrakon, a lightweight, powerful, open-source CLI tool that transforms any private GitHub or GitLab repo into your personal encrypted secrets vault.
Why "Ostrakon"?
The name comes from ancient Athens, where ostraka (pottery shards) were used for everyday notes, receipts, and secret ballots. Simple, durable, and private. Modern Ostrakon brings that same spirit to secret management.
The Core Philosophy
Unlike most tools, Ostrakon follows a strict client-side only encryption model:
- Nothing is ever stored in plain text — not on disk, not in Git.
- All encryption and decryption happens locally on your machine.
- Zero-knowledge: Even if your Git repository is completely leaked or compromised, attackers get only encrypted blobs. Without your master password, the data is useless.
- Portable: Remember your master password and you can access your entire vault from any computer in the world.
How Ostrakon Compares to Other Tools
| Tool | Storage | Encryption Location | Zero-Knowledge | Git Native | Cost | Best For |
|---|---|---|---|---|---|---|
| Ostrakon | Private Git repo | Client-side only | Yes | Yes | Free | Developers, power users |
| 1Password | Cloud (or local sync) | Cloud + local | No | No | Paid | Teams & families |
| Bitwarden | Cloud (self-host option) | Server-side | Partial | No | Freemium | General password management |
| pass / gopass | Git repo | Client-side | Yes | Yes | Free | Simple GPG-based use |
| HashiCorp Vault | Dedicated server | Server-side | No | No | Free/Paid | Large teams & enterprises |
Ostrakon stands out because it combines the portability of Git with rock-solid client-side encryption (Argon2id + AES-256-GCM), without the complexity of managing GPG keys like pass.
Key Features
- Full client-side encryption using industry-standard algorithms
- Support for GitHub and GitLab
- Profiles/namespaces for organizing secrets (dev, staging, prod)
- Secure
runcommand to inject secrets into scripts - Smart keyring integration (convenience on writes, strict prompting on reads)
- Cross-platform (macOS, Linux, Windows)
Installation
# macOS - Homebrew
brew tap PapaDanielVi/homebrew-tap
brew install ostrakon
# Go users
go install github.com/PapaDanielVi/ostrakon@latest
Quick Start & Examples
1. Initialize your vault
ostrakon init
You'll be prompted for:
- Your private repo URL
- GitHub/GitLab token (fine-grained recommended)
- Strong master password
2. Adding Secrets
# Interactive
ostrakon add DATABASE_URL
# Pipe from command (great for scripts)
echo "sk-1234567890abcdef" | ostrakon add openai-api-key
# Add with profile
echo "prod-value" | ostrakon add API_KEY -p production
# Add a personal file
ostrakon add ~/.bashrc
ostrakon add .env
3. Listing & Retrieving
# List all secrets
ostrakon ls
# List in specific profile
ostrakon ls -p production
# Get a secret (always prompts for master password)
ostrakon get DATABASE_URL
# Write a secret (always prompts for master password)
ostrakon write DATABASE_URL -o db_url.txt
4. Editing & Secure Deletion
# Edit in your default editor ($EDITOR)
ostrakon edit API_KEY
# Securely delete (overwrites before removal)
ostrakon shred old-secret
5. Running Scripts with Secrets
This is one of the most powerful features:
# Run a deployment script with injected secrets
ostrakon run ./deploy.sh \
-e AWS_ACCESS_KEY_ID \
-e AWS_SECRET_ACCESS_KEY \
-e DATABASE_PASSWORD
The script gets the secrets as environment variables — decrypted only in memory for the duration of the run.
6. Working Across Machines
Just install Ostrakon on a new laptop, run ostrakon init with the same repo, and use your master password. All your secrets are instantly available — no export/import hassle.
Security Deep Dive
- Encryption: Argon2id (memory-hard, resistant to brute force) + AES-256-GCM
-
Read Security: Master password is always required for
get,run,edit, andlsoperations - Write Convenience: Optional OS keyring storage for the master password (can be disabled)
- Repo Leak Protection: Even full access to the Git repo gives zero readable information
- No telemetry, no cloud dependency beyond your own Git storage
Who Should Use Ostrakon?
- Solo developers and small teams who want full control
- Security-conscious users tired of trusting cloud providers
- Anyone who already uses private Git repos and wants a cleaner alternative to
.envfiles - Engineers who value portability and dislike vendor lock-in
Get Started Today
Ostrakon is actively developed, open source (MIT license), and built with love for better developer security tools.
👉 Repository: github.com/PapaDanielVi/ostrakon
If you find it useful, please star the repo — it really helps small open-source projects gain visibility!
Have feedback or feature requests? Contributions are warmly welcome.
Built for developers, by a developer.
Top comments (0)