Rook provides a secret service a-la secret-tool, keyring, or pass/gopass, except backed by a Keepass kdbx file.

The problem Rook solves is mainly in script automation, where you have aerc, offlineimap, isync, vdirsyncer, msmtp, restic, or any other cron jobs that need passwords and which are often configured to fetch these passwords from a secret service with a CLI tool. Unlike existing solutions, Rook is headless, and does not have a bespoke secrets database full of passwords that must be manually synchronized with Keepass; instead, it uses a Keepass db directly.

Rook is in AUR and in Alpine community (a MR has been submitted for the new version); binaries are available from the project page.

There have been several releases since my last announcement for v0.2.0, 7 months ago. The major thing is that I’ve added built-in support for the Linux keyring, which makes it much easier to use; since it improves security, I’m hoping this will encourage users to use the feature.

Here are the rest of the changes, collapsed for brevity:

Added

  • built-in support for the kernel keyring on Linux.
  • Go 1.24 landed in Alpine, so off we go!

Changed

  • autotype and getAttr now detect if keyctl is available and in use, and automatically uses it to get the pin. (which should be superceded by ---keyring)
  • the kernel keychain instructions are now independent of external environment variable management, such as herbstluftwm
  • Use Go 1.24’s go tool for manpage generation, via go:generate.

Fixed

  • –keyring may not be used with open; this is now prevented, and documented. It never worked, but it would be seen by the server as on open failure.
  • –detach and -P didn’t play nicely; now they do
  • URLs in the README (thank, mlc-man!)
  • getPassword() was prompting on STDOUT, which is bad for piping the pin
  • –detach never worked
  • logging was going to stdout
  • some log messages were not being logged, but just printed out
  • PIN authorization had a lot of bugs
  • build assets now contain man pages & other documentation, and arch image CI is fixed