# Install credstash with Homebrew, Nix

Little utility for managing credentials in the cloud. Version 1.17.1 via Homebrew; verified 2026-05-12.

## Install

```sh
sudo av install brew:credstash
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install credstash
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#credstash
```

  Evidence: nixpkgs package indexes: credstash from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix

## Package facts

- **Package key:** brew:credstash
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/credstash>
- **Version:** 1.17.1
- **Source summary:** Little utility for managing credentials in the cloud
- **Homepage:** <https://github.com/fugue/credstash>
- **Repository:** <https://github.com/fugue/credstash>
- **Upstream docs:** <https://github.com/fugue/credstash#readme>
- **License:** Apache-2.0
- **Source archive:** <https://files.pythonhosted.org/packages/b4/89/f929fda5fec87046873be2420a4c0cb40a82ab5e30c6d9cb22ddec41450b/credstash-1.17.1.tar.gz>
- **Last updated:** 2026-05-12T19:39:56Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- credstash (cli)
- credstash.py (cli)
- credstash (alias)
- credstash.py (alias)

## Dependencies

- cryptography
- python@3.14

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.17.1
- Package-manager updated: 2026-05-12
- Local data: ok
- Upstream repository: https://github.com/fugue/credstash
- info: No cached GitHub release or tag data was available.
## Project history and usage

CredStash is a small command-line and Python-library tool for storing secrets with AWS KMS and DynamoDB. It targets teams that want a simple credential store without operating a larger dedicated secrets-management service.

### Project history

The README frames CredStash as a response to common ad hoc secret-handling practices such as copying secrets files around a fleet or committing secrets to source control. Its design uses KMS for key wrapping and master-key storage, DynamoDB for encrypted credential records, and AWS IAM for access control.

### Adoption history

The project grew beyond a single Python command-line tool through compatible implementations in Java, Ruby, Scala, PHP, Node.js, Go, C#, Erlang, Rust, and Kubernetes-related tooling listed by the upstream README. Later changelog entries also added operational features such as tags, putall, keys, session handling, YAML and dotenv-style output, and multiple-region KMS/DynamoDB support.

### How it is used

The standard setup is to install credstash, create or choose a KMS key, ensure AWS credentials are available to boto or botocore, and run credstash setup to create the DynamoDB table. Users then put, get, list, delete, and bulk-fetch versioned secrets from shell scripts or deployment workflows.

### Why package nerds care

For package maintainers, CredStash is notable as an AWS-backed secrets CLI that keeps its runtime footprint small but relies on cloud-side primitives. Its Homebrew formula exposes a Python security tool to macOS operators who may otherwise install it from pip.

### Timeline

- 2015-12: README documents an auto-versioning behavior change and migration path for older unpadded integer versions
- 1.14.0: Added wildcard get, keys, putall, and pagination fixes
- 1.15.0: Improved packaging and added credential comments
- 1.16.0: Added autoversion API support, DynamoDB table tagging, environment-variable table selection, and custom DynamoDB/KMS sessions
- 1.17.0: Added independent KMS-region selection for DynamoDB Global Tables-style deployments

### Related projects

- The README lists compatible CredStash implementations for Java, Ruby, Scala, PHP, Node.js, Go, C#, Erlang, Rust, and Kubernetes.

### Sources

- <https://github.com/fugue/credstash#readme>
- <https://github.com/fugue/credstash/blob/master/changelog.md>


## Security Notes

infrastructure mutation or orchestration signal.

- **Geiger risk:** orange / medium
- infrastructure mutation or orchestration signal


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: ~/.aws/config

## Credential files

- Unix: ~/.aws/credentials
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** credstash
- **Version Scheme:** 0
- **Revision:** 15
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - credstash: normalized package name match | nixpkgs package indexes: credstash from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix


## Related links

- [Cloud CLI packages](https://www.automicvault.com/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family.
- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [python@3.14](https://www.automicvault.com/pkg/brew/python-3-14/) - Runtime dependency declared by Homebrew.
- [chamber](https://www.automicvault.com/pkg/brew/chamber/) - Shares av.db curated category or tags: cli, secrets-management, security.
- [envchain](https://www.automicvault.com/pkg/brew/envchain/) - Shares av.db curated category or tags: cli, credentials, secrets-management, security.
- [infisical](https://www.automicvault.com/pkg/brew/infisical/) - Shares av.db curated category or tags: cli, secrets-management, security.
- [openbao](https://www.automicvault.com/pkg/brew/openbao/) - Shares av.db curated category or tags: cli, secrets-management, security.
- [secretspec](https://www.automicvault.com/pkg/brew/secretspec/) - Shares av.db curated category or tags: cli, secrets-management, security.
- [shush](https://www.automicvault.com/pkg/brew/shush/) - Shares av.db curated category or tags: aws-kms, cli, secrets-management, security.
- [sops](https://www.automicvault.com/pkg/brew/sops/) - Shares av.db curated category or tags: cli, secrets-management, security.
- [varlock](https://www.automicvault.com/pkg/brew/varlock/) - Shares av.db curated category or tags: cli, secrets-management, security.
- [keyring](https://www.automicvault.com/pkg/brew/keyring/) - Both packages touch the same language runtime or ecosystem. Shared terms: cli, credentials, management, python, python-3-14.

## Combined YAML source

View the package source record on GitHub. [combined/credstash.yml](https://github.com/automic-vault/db/blob/main/combined/credstash.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
