|
| 1 | +--- |
| 2 | +title: Providers Reference |
| 3 | +description: Complete reference for SecretSpec storage providers and their URI configurations |
| 4 | +--- |
| 5 | + |
| 6 | +SecretSpec supports multiple storage backends for secrets. Each provider has its own URI format and configuration options. |
| 7 | + |
| 8 | +## DotEnv Provider |
| 9 | + |
| 10 | +**URI**: `dotenv://[path]` - Stores secrets in `.env` files |
| 11 | + |
| 12 | +```bash |
| 13 | +dotenv:// # Uses default .env |
| 14 | +dotenv:///config/.env # Custom path |
| 15 | +dotenv://config/.env # Relative path |
| 16 | +``` |
| 17 | + |
| 18 | +**Features**: Read/write, profiles, human-readable, no encryption |
| 19 | + |
| 20 | +## Environment Provider |
| 21 | + |
| 22 | +**URI**: `env://` - Read-only access to system environment variables |
| 23 | + |
| 24 | +```bash |
| 25 | +env:// # Current process environment |
| 26 | +``` |
| 27 | + |
| 28 | +**Features**: Read-only, no setup required, no persistence |
| 29 | + |
| 30 | +## Keyring Provider |
| 31 | + |
| 32 | +**URI**: `keyring://` - Uses system keychain/keyring for secure storage |
| 33 | + |
| 34 | +```bash |
| 35 | +keyring:// # System default keychain |
| 36 | +``` |
| 37 | + |
| 38 | +**Features**: Read/write, secure encryption, profiles, cross-platform |
| 39 | +**Storage**: Service `secretspec/{project}`, username `{profile}:{key}` |
| 40 | + |
| 41 | +## LastPass Provider |
| 42 | + |
| 43 | +**URI**: `lastpass://[folder]` - Integrates with LastPass via `lpass` CLI |
| 44 | + |
| 45 | +```bash |
| 46 | +lastpass://work # Store in work folder |
| 47 | +lastpass:///personal/projects # Nested folder |
| 48 | +lastpass://localhost # Root (no folder) |
| 49 | +``` |
| 50 | + |
| 51 | +**Features**: Read/write, cloud sync, profiles via folders, auto-sync |
| 52 | +**Prerequisites**: `lpass` CLI, authenticated with `lpass login` |
| 53 | +**Storage**: Item name `{folder}/{profile}/{project}/{key}` |
| 54 | + |
| 55 | +## 1Password Provider |
| 56 | + |
| 57 | +**URI**: `1password://[account@]vault` or `1password+token://user:token@vault` |
| 58 | + |
| 59 | +```bash |
| 60 | +1password://MyVault # Default account |
| 61 | +1password://work@CompanyVault # Specific account |
| 62 | +1password+token://user:op_token@SecureVault # Service account |
| 63 | +``` |
| 64 | + |
| 65 | +**Features**: Read/write, cloud sync, profiles via vaults, service accounts |
| 66 | +**Prerequisites**: `op` CLI, authenticated with `op signin` |
| 67 | +**Storage**: Item name `{project}/{key}`, tags `automated`, `{project}` |
| 68 | + |
| 69 | +## Provider Selection |
| 70 | + |
| 71 | +### Command Line |
| 72 | +```bash |
| 73 | +# Simple provider names |
| 74 | +secretspec get API_KEY --provider keyring |
| 75 | +secretspec get API_KEY --provider dotenv |
| 76 | +secretspec get API_KEY --provider env |
| 77 | + |
| 78 | +# URIs with configuration |
| 79 | +secretspec get API_KEY --provider dotenv:/path/to/.env |
| 80 | +secretspec get API_KEY --provider 1password://vault |
| 81 | +secretspec get API_KEY --provider "1password://account@vault" |
| 82 | +``` |
| 83 | + |
| 84 | +### Environment Variables |
| 85 | +```bash |
| 86 | +export SECRETSPEC_PROVIDER=keyring |
| 87 | +export SECRETSPEC_PROVIDER="dotenv:///config/.env" |
| 88 | +``` |
| 89 | + |
| 90 | + |
| 91 | +## Security Considerations |
| 92 | + |
| 93 | +| Provider | Encryption | Storage Location | Network Access | |
| 94 | +|----------|------------|------------------|----------------| |
| 95 | +| DotEnv | ❌ Plain text | Local filesystem | ❌ No | |
| 96 | +| Environment | ❌ Plain text | Process memory | ❌ No | |
| 97 | +| Keyring | ✅ System encryption | System keychain | ❌ No | |
| 98 | +| LastPass | ✅ End-to-end | Cloud (LastPass) | ✅ Yes | |
| 99 | +| 1Password | ✅ End-to-end | Cloud (1Password) | ✅ Yes | |
0 commit comments