Terminal-first app: Keystone, a system for developers to store and use secrets together


Hi everyone!

I’m happy to share with you our experiment at using Blockstack in a terminal environment.

Keystone.sh is an open-source system for developers to store, share and use secrets with other developers. Everything can be done through our cli and we released the 1.0.0 version this week.

We are using it at my web agency to handle applications tokens in local development but also in CI/CD setups. No more sharing over slack or worse, emails.

Our team can’t wait to get your feedback!

I hope our work will help other developers bring more blockstack apps to the terminal.

Github repo

Behind the scenes:

  • Why we think there’s a need for a solution like this one : Git for managing code, Keystone for managing secrets
  • It’s easy to add team members with the help of an email invitation process. Privacy is kept by sending only the necessary data: blockstack ids, project ids, emails.
  • The system handles multiple users working on the same files with a versioning system
  • Customize your prompt to show the current environment and files status**
  • Add autocompletion to Keystone commands in your bash**

If you had the chance to choose, what command line apps you would like to see coming on Blockstack?

** I’m limited to 2 links as a new member. You can find the tutorials in the Recipes section in the documentation.


Pretty cool !!!
About key sharing I notice that you don’t use radiks to share data with different users. How did you do that?


We have a sync system that replicate files among users of the same project. They pull from the administrators and contributors then make copies for everybody else in the project. So each member has its own copy encrypted with his signed public key.

To make it possible we have files describing the project and the members, so we know:

  • what are their privileges over the project
  • what are the environments they have access to
  • what files are currently tracked
  • their blockstack ids. It’s used to retrieve their signed public key and encrypt files for them.

All these files are versioned and when a user pull we check for conflicts just like git. Most of the time, it’s ok. If it’s not, we try to merge the file automatically or ask you to do it manually if we can’t.

Below a basic chart:


Oh this is amazing! Is it possible for me to share access credential of a remote VM with other members of my team this way?


Yes you can. Keystone is made to handle sensitive informations like database credentials or applications tokens. Handling an access credential of a remote VM looks like another good use case.

With a Git repo, it’s straightforward:

  1. Create a file with your credentials in a folder and add it to your .gitignore.
  2. Initialize a new Keystone project with ks init my-project-name. Then add your file with ks add [path-to-my-file] then push ks push.
  3. Commit the .ksconfig file and git push.
  4. Invite your team members ks invite [email protected] [email protected] ...
  5. Each team members needs to accept your invitation
  6. You will receive a confirmation email for each of them. You will need to set the privileges for them, just click the button in the email and follow the instructions on Keystone.sh
  7. Each member clone the repo git clone ...
  8. Once the repo is cloned, they just need to ks pull to get the credentials

A Git repo is not mandatory. If you don’t use one, your team will need to list their projects with ks project list and use the command ks init [projectName]

If you change your access credentials, just update your file and ks push. From now on, your teammates will only need to ks pull to get the latest version.

Let me know how it goes!

1 Like

That looks very nice!

Have you had a look at did-git? The concept looks similar (team structure and permissions in files in git)

1 Like

I didn’t, thanks for the link. I’ll look into it.


Hi guys,

I created an upcoming page on Product Hunt.

If you feel Keystone.sh deserves attention, sign up to the page to show the Product Hunt community your interest and spread the word! :rocket:


1 Like