Yaak Logo
Yaak
Feedback/Secrets Encryption

Comments (49)

Sign in to leave a comment.

Gregory SchierOP
SoftExpert

It would be good to be able to make a distinction between “local” secrets and “shared” secrets (these would be synchronized with the git sharing mechanism).

Also, it would make sense to implement a generic mechanism that allows specific extensions to use external services like KeepassXC, Hashicorp Vaults, etc.

Hamish Robertson

By shared secrets do you mean using something like SOPS so you can push encrypted secrets to git and have them automatically decrypted locally?

SoftExpert

That’s one very interesting option, indeed !

But it should not be the only one.

Perhaps it would be best to create and expose a framework to allow for plugins to take care of the secrets; in some situations you want them shared (in which case your suggestion fits perfectly) and in other situations you just want to reference the values but not share them (in this case I want my secrets to be kept a KeePassXC database or in a Hashicorp Vault or in Bitwarden and access them while testing my APIs).

Lindon Morris

Subscribing. Very much need this.

Gregory SchierOP

That’s great! Can you elaborate on why you need it? What is your use case?

Lindon Morris

Not sure how I could elaborate further - I tested this and found a file in my profile with the secret in plain text - Our organisation will not allow me to use the tool in this situation.

Gregory SchierOP

This is exactly the detail I was looking for, thanks!

Hamish Robertson

I’m looking for a good API-poking tool to replace Insomnia (pre v8.0.0) but secrets in plaintext is a show-stopper. (I’m aware that Insomnia also stores variables unencrypted.)
Supporting the Freedesktop Secret Service standard would enable users to use whatever secret backend they want.

Radoslav

You can use libSQL

Hamish Robertson

@Greg Schier I acknowledge that this is “planned”. I just wanted to highlight that this is blocking Yaak from being approved for use within my organisation of several hundred developers.. think of the commercial licenses 💰 😁 😁

Gregory SchierOP

That’s what I want to hear! What exactly are your requirements for this? Some open questions are:

- Do you need variable, environment, workspace, or global encryption?
- Do you need to share with a team (eg. using Git)? If so, where does the key live?

Hamish Robertson

I think the minimum viable solution is global encryption with the key stored in the platform native store using something like https://github.com/hwchen/keyring-rs, and have this functionality enabled by default. This is so that if a user installs Yaak and just starts creating requests with secrets in them without looking at any sort of configuration etc, everything will be encrypted by default.

Beyond that, I think variable level secrets could be catered for by template function plugins. eg one that gets values from the platform keyring, one that gets values from Vault, etc.

Regarding sharing whole environments and workspaces with a team… If template function plugins were used for secrets the YAML files would be safely sharable.

Currently the ‘data directory’ feature excludes environments but I’d suggest making that an option that users can decide for themselves, eg if their environments get values using template function plugins or if they want to use an external encryption solution like SOPS.

If users don’t want to manage secrets on a per-variable level but would rather encrypt entire workspaces/environments I would direct them towards SOPS (https://github.com/getsops/sops) which integrates with various key sources. SOPS can already be used to encrypt Yaak’s data directory YAML but Yaak could streamline the workflow by handling encryption/decryption in memory so the files in the data directory remain encrypted à la https://github.com/signageos/vscode-sops

Thanks!

Gregory SchierOP

I already have a PoC for the variable secret template function in a dev branch 🎁

https://bsky.app/profile/yaak.app/post/3lklh4mlp3s2r

I'm on the fence about global encryption (especially by default) but I'll see if people still want it after shipping the template function implementation. What tool does your team currently use? AFAIK no other tools offer this.

As for leaking things by accident, I'll be adding UI suggestion to nudge the user into encrypting things that might be secret. Also, responses and cookie jars will also be encrypted, once enabled.

Hamish Robertson

Ah I’ll look out for that plugin. I’d rather retrieve the secrets themselves from the keychain. I use these secrets in several tools and want to maintain them in a single place. I started on a PoC last night and will share when it's functional.

In case it’s of interest I use KeePassXC as my freedesktop.org Secret Service backend.

The reason I said encrypt everything by default is that secrets could be in any user-supplied data and the argument of “users can encrypt secrets by doing x, y, z.” has not won over the security board in the past. I think how this "UI suggestion" works will be key.

We currently have no approved API client.

Gregory SchierOP

That makes sense. Thanks so much for all the detail!

I also plan on integrating with external secrets managers. In fact, it should already be possible to create a template function plugin to read a secret from something like 1Password. There’s an Insomnia plugin that showcases this idea:

https://insomnia.rest/plugins/insomnia-plugin-op

I’m currently working on a public plugin directory, so I plan to start working on some of these integrations after that.

Simon basi

Hello Greg,

In my environment (as in most mature orgs), secrets are already stored in a secrets manager (vault, bitwarden, keeper, aws secrets manager, etc.) your identity and access control let you access one secret or another.

Idealy, Yaak should retrieve secrets from there dynamically, this has several advantages:

  • Secrets only touch the dev system when needed: it reduce the attack surface for a malicious actor

  • Secret sharing is externalised (already setup in the company)

  • Secrets rotation do not impact development workflow

You’ll need for that to create a modular solution (one plugin per secrets manager)

Gregory SchierOP

Yes, I plan to do this but I don’t think there’s an item on here yet. Can you create one with a description of how you would want it to work?

Gregory SchierOP

Encryption is now in the final stages of development! Here’s a teaser of what it looks like right now:

  • Password-like fields have a new dropdown to encrypt

  • A new secure(..) template function can be used anywhere

  • First encryption will prompt to generate a workspace key

  • Keys are stored encrypted using master key in OS keychain

  • Imported or cloned workspaces will prompt for key

  • (To-Do) Auto-encrypt responses, auth tokens, etc.

  • (To-Do) Warn when syncing or exporting non-encrypted secrets

Let me know if you have any feedback or suggestions. I plan to release the first beta sometime next week.

Gregory SchierOP

https://yaak.app/blog/2025.2.0-beta.3

The first version of encryption is now ready to test in 2025.2 Beta 3 📣

Start encrypting values by selecting the secure(…) template function from within the autocomplete. This will prompt you to generate an encryption key to get started.

Let me know if you have any feedback so far.

SoftExpert

Clicking on “Enable Encryption“ in the Workspace Settings has no effect.

Creating a new Workspace with “Enable Encryption“ checked results in “Workspace Encryption” popup to appear, but clicking on the “Enable Encryption“ button also has no effect.

I’m using the binary from the DEB package on Linux.

Gregory SchierOP

Thanks for the report! I did test it on the latest Ubuntu but only the dev version. I’ll see if I can reproduce on the release. Was there anything of note in the logs?

SoftExpert

Probably the issue is related to DBus (I’m using KDE with X11):

[Error] Unhandled Promise Rejection: Encryption error: Platform secure storage failure: DBus error: Using X11 for dbus-daemon autolaunch was disabled at compile time, set your DBUS_SESSION_BUS_ADDRESS instead (anonymous function) (reveal-vDJLGa9R.js:3820)

Gregory SchierOP

Can you try Beta 4 to see if that helps? I was vendoring libdbus because I thought it would widen support, but it seems like this is mostly meant for headless environments. Beta 4 now relies on the host OS’s libdbus existing.

For context, Yaak is using the keyring crate which talks to secret-service through libdbus. I don’t really know much about this, but I think the vendored version of libdbus doesn’t have autolaunch enabled so it won’t start dbus if it’s not already running.

SoftExpert

With Beta 4 it works - I was able to:

  • create a new Workspace and enable the encryption

  • pick an existing Workspace and activate the encryption

  • create a new Workspace without encryption and encrypt a Global Variable - which triggered the popup to enable the Workspace Encryption.

Many thanks for fixing it!

As for DBus, my understanding is that it needs to be started at least at the user session level - when logging in; the desktop environment is responsible to ensure that the DBus daemon / service is running, and this explains why the autolaunch is not a feature in libdbus.

Hamish Robertson

Thanks Greg.

Upon opening the Manage Environments UI I get as many secret service unlock requests as there are encrypted variables.

They are all for the same secret (encryption-key@app.yaak.desktop.EncryptionKey:default (keyring v4.0.0-rc.1)).

Gregory SchierOP

Thanks for the report! The fix will be in the next beta release

https://github.com/mountain-loop/yaak/commit/8fb7bbfe2ea03045038ed9d592c194a97c3d808e

André Johansson

I am on beta 6, I have enabled encryption on a workspace and it is synced with git.

When I tried to open it on another computer I did the following:

  1. Git clone the repo to a local folder

  2. In Yaak I choose “Open Existing Workspace”

  3. I switch to the workspace

  4. I see “Enter encryption key” top right

  5. Clicking it gives me an empty dialog as in the screenshot

  • I am on Windows 11.

  • In the console I see SQL error: FOREIGN KEY constraint failed

Gregory SchierOP

Thanks for the report! I will try to reproduce and get this fixed.

Tangentially, since there’s a DB error, does it look like all the requests/folders/etc were imported correctly?

André Johansson

The workspace + requests and folders are there after opening the repo. But it does not persist if I restart the app, then the workspace is gone again.

Is there any log or something I can send?

André Johansson

The last lines of the logs look like this, for some reason its running the import twice?

[2025-04-23][19:33:18][INFO][tauri_app_lib::window] Create new window label=main_0

[2025-04-23][19:33:19][INFO][tauri_app_lib::updates] Checking for updates mode=beta

[2025-04-23][19:33:19][INFO][yaak_license::license] Checking license activation

[2025-04-23][19:33:23][INFO][tauri_app_lib::window] Create new window label=other__settings

[2025-04-23][19:33:24][INFO][yaak_license::license] Checking license activation

[2025-04-23][19:34:35][WARN][tao::platform_impl::platform::event_loop::runner] NewEvents emitted without explicit RedrawEventsCleared

[2025-04-23][19:34:35][WARN][tao::platform_impl::platform::event_loop::runner] RedrawEventsCleared emitted without explicit MainEventsCleared

[2025-04-23][19:35:29][WARN][tao::platform_impl::platform::event_loop::runner] NewEvents emitted without explicit RedrawEventsCleared

[2025-04-23][19:35:29][WARN][tao::platform_impl::platform::event_loop::runner] RedrawEventsCleared emitted without explicit MainEventsCleared

[2025-04-23][19:35:29][INFO][yaak_models::queries::batch] Batch inserting 1 workspaces

[2025-04-23][19:35:29][INFO][yaak_models::queries::batch] Imported 103 folders

[2025-04-23][19:35:32][INFO][yaak_models::queries::batch] Batch inserting 1 workspaces

[2025-04-23][19:35:32][INFO][yaak_models::queries::batch]

André Johansson

Another clue: my other computer had pending changes, I had not commit and pushed everything, will do that and check tonight.

Gregory SchierOP

I’m guessing that one of the parent requests/folders/etc wasn’t checked into Git? Regardless, I’m going to make it so that’s not necessary.

André Johansson

Just tried after pushing everything, still get the same error.

Gregory SchierOP

Can you let me know if Beta 7 fixes this? https://yaak.app/blog/2025.2.0-beta.7

André Johansson

Unfortunately it did not help. I still get foreign key error + now I do not see any requests or folders, and still no UI to enter encryption key

Gregory SchierOP

In that screenshot, was the console open when you did the “Open Existing Workspace” action? Can you also try looking at the Network tab in devtools (filter by “yaak-sync”) to see if there are any errors?

André Johansson

if the console is open I have no foreign constraint error

  • when I start the app

  • when I open the gitrepo

It comes when I switch to the workspace that I just opened

Gregory SchierOP

Quick update: Beta 8 adds the ability to include environments in Directory Sync, taking advantage of encryption to securely share data via Git, DropBox, or manual data exports!

https://yaak.app/blog/2025.2.0-beta.8

André Johansson

Unfortunately the foreign key problem still exists.

  1. Make sure that everything is committed on machine A

  2. On machine B, remove all workspaces, and all data (even local app data) to get a completely clean Yaak

  3. Clone the repo to a folder

  4. Open folder in yaak using existing folder

  5. Switch to newly opened workspace

    1. Foreign key error in log

    2. No UI for entering encryption key

André Johansson

@Greg Schier is there any parameters/settings to toggle that lists all queries made? Then I could investigate which one is causing the issue.

André Johansson

I cloned the repo and in commit

035fe54df0c01eb7ec2a04a14dc5e7cc18c45e13 the problem does not occur anymore. I am able to open my repo from git without foreign key violations.

Gregory SchierOP

Oh interesting. So it’s working for you again in the latest beta release?

André Johansson

It seems so, thank you!

Gregory SchierOP

Thanks for the reproduction! I’ll take another look at fixing this.

Gregory SchierOP
Type to search feedback...