
A simple tool to manage secrets in Dhall configuration, inspired by sops
Download binary according to your OS from releases channel, or if you have nix
nix-env -f https://github.com/jcouyang/dhall-secret/archive/master.tar.gz -iA dhall-secret
Usage: dhall-secret (encrypt | decrypt | gen-types) [-v|--version]
Available options:
-h,--help Show this help text
-v,--version print version
Available commands:
encrypt Encrypt a Dhall expression
decrypt Decrypt a Dhall expression
gen-types generate types
create a unencrypted version of Dhall file ./test/example.dhall
, put the plain text secret in PlainText
let dhall-secret =
let empty =
in { kmsExample =
{ KeyId = "alias/dhall-secret/test"
, PlainText = "a secret to be encrypted"
, EncryptionContext = empty Text Text
, aesExample =
{ KeyEnvName = "MY_AES_SECRET"
, PlainText = "another secret to be encrypted"
, somethingElse = "not secret"
The file contains two secrets to be encrypted
a secret to be encrypted
is a secret needs to be encrypted via KMS with key id alias/dhall-secret/test
another secret to be encrypted
is a secret needs to be encrypted via AES256, the secret string of AES encryption need to be provide in environment vairable MY_AES_SECRET
login to your AWS account, either through ~/.aws/credentials
probably need to also export AWS_REGION=<your-kms-key-region>
just export the secret string in environment variable that matching the name in KeyEnvName
export MY_AES_SECRET=super-secure-secret
from stdin
> dhall-secret encrypt
let dhall-secret =
in { my-config =
{ KeyEnvName = "MY_AES_SECRET", PlainText = "shhhh" }
< Aes256Decrypted : { KeyEnvName : Text, PlainText : Text }
| Aes256Encrypted : { CiphertextBlob : Text, IV : Text, KeyEnvName : Text }
| AwsKmsDecrypted :
{ EncryptionContext : List { mapKey : Text, mapValue : Text }
, KeyId : Text
, PlainText : Text
| AwsKmsEncrypted :
{ CiphertextBlob : Text
, EncryptionContext : List { mapKey : Text, mapValue : Text }
, KeyId : Text
{ KeyEnvName = "MY_AES_SECRET"
, CiphertextBlob = "Um5EXmk="
, IV = "CdbCJEEk2B8/e2YWTNvMtg=="
to stdout
> dhall-secret encrypt -f test/example.dhall
{ aesExample =
< Aes256Decrypted : { KeyEnvName : Text, PlainText : Text }
| Aes256Encrypted : { CiphertextBlob : Text, IV : Text, KeyEnvName : Text }
| AwsKmsDecrypted :
{ EncryptionContext : List { mapKey : Text, mapValue : Text }
, KeyId : Text
, PlainText : Text
| AwsKmsEncrypted :
{ CiphertextBlob : Text
, EncryptionContext : List { mapKey : Text, mapValue : Text }
, KeyId : Text
{ KeyEnvName = "MY_AES_SECRET"
, CiphertextBlob = "LxjbrUXYPyUyL3Zs/2e0D+2ERuUl6feqZsAKA8GA"
, IV = "vMAEGQmmBzw71yTdnIfqDg=="
, kmsExample =
< Aes256Decrypted : { KeyEnvName : Text, PlainText : Text }
| Aes256Encrypted : { CiphertextBlob : Text, IV : Text, KeyEnvName : Text }
| AwsKmsDecrypted :
{ EncryptionContext : List { mapKey : Text, mapValue : Text }
, KeyId : Text
, PlainText : Text
| AwsKmsEncrypted :
{ CiphertextBlob : Text
, EncryptionContext : List { mapKey : Text, mapValue : Text }
, KeyId : Text
{ KeyId =
, CiphertextBlob =
, EncryptionContext = [] : List { mapKey : Text, mapValue : Text }
, somethingElse = "not secret"
in place
dhall-secret encrypt -f test/example.dhall --inplace
to a new file
dhall-secret encrypt -f test/example.dhall -o test/example.encrypted.dhall
to stdout
> dhall-secret decrypt -f test/example.encrypted.dhall
{ aesExample =
< Aes256Decrypted : { KeyEnvName : Text, PlainText : Text }
| Aes256Encrypted : { CiphertextBlob : Text, IV : Text, KeyEnvName : Text }
| AwsKmsDecrypted :
{ EncryptionContext : List { mapKey : Text, mapValue : Text }
, KeyId : Text
, PlainText : Text
| AwsKmsEncrypted :
{ CiphertextBlob : Text
, EncryptionContext : List { mapKey : Text, mapValue : Text }
, KeyId : Text
{ KeyEnvName = "MY_AES_SECRET"
, PlainText = "another secret to be encrypted"
, kmsExample =
< Aes256Decrypted : { KeyEnvName : Text, PlainText : Text }
| Aes256Encrypted : { CiphertextBlob : Text, IV : Text, KeyEnvName : Text }
| AwsKmsDecrypted :
{ EncryptionContext : List { mapKey : Text, mapValue : Text }
, KeyId : Text
, PlainText : Text
| AwsKmsEncrypted :
{ CiphertextBlob : Text
, EncryptionContext : List { mapKey : Text, mapValue : Text }
, KeyId : Text
{ KeyId =
, PlainText = "a secret to be encrypted"
, EncryptionContext = [] : List { mapKey : Text, mapValue : Text }
, somethingElse = "not secret"
in place
dhall-secret decrypt -f test/example.encrypted.dhall --inplace
to a new file
dhall-secret decrypt -f test/example.encrypted.dhall -o test/example.dhall
dhall-secret decrypt -f test/example.encrypted.dhall | dhall-secret encrypt --in-place