Crumb: The Developer-Focused Secret Manager That Fits in Your Pocket

For developers juggling API keys across personal projects, freelance work, and experimental prototypes, enterprise secret managers like HashiCorp Vault often feel like overkill. Enter Crumb – a new open-source command-line tool that brings robust secret management to individual developers and small teams without cloud dependencies or complex infrastructure.

The Niche Crumb Fills

Crumb emerged from a clear pain point: developers need to securely manage secrets across multiple contexts but lack access to (or desire for) cloud-based secrets managers. As creator Craig Huber explains, it was born from the need to "switch secrets between different projects without leaving them unencrypted on disk." Unlike solutions requiring distributed systems or network endpoints, Crumb uses a radically simple architecture: an encrypted plaintext file secured via the age encryption library and your existing SSH keys.

Technical Architecture Breakdown

At its core, Crumb operates with elegant simplicity:

# Encryption flow
SSH Public Key → age Encryption → Encrypted Secrets File

# Decryption flow
SSH Private Key → age Decryption → Plaintext Secrets (in-memory only)

All secrets remain encrypted at rest, with decrypted data never touching disk. The tool leverages your existing SSH key pairs (Ed25519 or RSA) for cryptographic operations, eliminating separate credential management. Configuration lives in ~/.config/crumb/config.yaml, supporting multiple isolated profiles:

profiles:
  default:
    public_key_path: ~/.ssh/id_ed25519.pub
    private_key_path: ~/.ssh/id_ed25519
  work:
    public_key_path: ~/.ssh/work.pub
    private_key_path: ~/.ssh/work
    storage: ~/.config/crumb/work-secrets

Why Developers Are Adopting It

Three features make Crumb stand out:

Context Switching Made Simple: --profile flags and environment variables (CRUMB_PROFILE) let you segregate work/personal/project secrets effortlessly:
```
crumb --profile work set /company/api_key "SECRET123"
crumb --profile personal set /github/token "ghp_abc"
```
Shell Integration Magic: The --export flag transforms secrets into environment variables ready for sourcing:
```
# Export to current shell
eval "$(crumb get /prod/db_url --export)"
echo $PROD_DB_URL  # Outputs decrypted value
```
Paths auto-convert to ENV names (e.g., /prod/api-key → PROD_API_KEY)

Project-Specific Configs: .crumb.yaml files enable environment variable mapping per project:

path_sync:
  path: "/prod/my-app"
  remap:
    API_KEY: "MYAPP_API_SECRET"  # Rename during export

Security Without Compromise

Despite its simplicity, Crumb enforces critical safeguards:
- Mandatory key path validation (/prefix/required)
- Double confirmation for overwrites and deletions
- Encryption via battle-tested age library
- Strict input sanitization against special characters
- Private keys never stored in secret files

The Developer Experience

From setup to daily use, Crumb optimizes for frictionless workflows:

# 1. Initialize with existing SSH keys
crumb setup --profile work

# 2. Store secrets hierarchically
crumb set /prod/stripe/api_key "sk_live_abc"

# 3. Integrate with CI/CD or local scripts
source <(crumb --profile prod export)

The tool even includes atomic commands for storage management (crumb storage set/get/clear) and bulk operations via path-based synchronization. For teams outgrowing manual secret management but not ready for Kubernetes-level complexity, Crumb strikes a compelling balance between security and simplicity.

As cloud-agnostic development gains momentum, tools like Crumb represent a growing trend: focused utilities solving specific pain points without infrastructure tax. With its MIT license and active GitHub repository, it’s positioned to become the go-file for developers who believe secrets management shouldn’t require a PhD in distributed systems.

Source: Crumb GitHub Repository

#SecretManagement #DeveloperTools #CLI