Manage Credentials new in v0.33.0
Credentials provide your identity on SecretHub and allow you to decrypt all the secrets you have access to on SecretHub. All the machines you personally want to access SecretHub with need their own credential. This command allows you to manage these credentials.
Currently there are two types of credentials:
- Key Credentials
- This type of credential lives as a file on your machine.
This is the default type of credentials and it is created upon signup or when running
- Backup Codes
- This is a special type of credential that can be used to restore access to your account in case you lose access to your other credentials.
Backup Codes can be generated with the
secrethub credential backupcommand. Every SecretHub user is advised to create at least a single Backup Code and store it somewhere safely (for example by writing it down and storing in a safe deposit box). If you do not do this, you’ll be at risk for losing the secrets in your personal workspace. And in your company’s workspace you’d have to ask an admin to give you access again.
Using Multiple Devices
If you want to use your SecretHub account on another device, you have to create a new credential for it. Currently, the way to do this, is by creating a Backup Code and using it on the secondary device. Assuming device A is your current device and you want to start using SecretHub on device B, you have to take the following steps:
secrethub credential backupon device A and note the Backup Code.
secrethub initon device B and enter the previously generated Backup Code.
- Optionally run
secrethub credential disableto disable the Backup Code if you do not plan to use it anymore.
To manage your credentials, you can use the following commands:
credential ls- list all credentials
credential backup- create a backup code for account recovery
credential disable- disable an existing credential
All credentials are identified by a unique fingerprint of 64 hexadecimal characters. Most commands only display the first 16 characters of the fingerprint and also accept this shortened version as input.
List new in v0.33.0
To list all your credentials, you can use the
credential ls command:
secrethub credential ls [options]
credential ls command prints out a list of all your credentials.
- Show timestamps formatted to RFC3339 instead of human readable durations.
Backup new in v0.33.0
To create a backup code for your account, you can use the
credential backup command:
secrethub credential backup [options]
This will output a 64 character long Backup Code.
It can later be restored with the
secrethub init command.
Disable new in v0.33.0
When you no longer want to use a certain credential or have reasons to assume the credential has been compromised, you can disable an existing credential by using the
credential disable command:
secrethub credential disable [options] [<fingerprint>]
A disabled credential can no longer be used on SecretHub. When you use SecretHub on a machine that uses a disabled credential, any operation will lead to the following error message:
Encountered an error: credential is disabled
- The fingerprint of the credential to disable. If you do not provide this argument, you will be prompted for its value.