bketelsen / crypt Goto Github PK

View Code? Open in Web Editor NEW

This project forked from xordataexchange/crypt

46.0 3.0 27.0 7.46 MB

Store and retrieve encrypted configs from etcd or consul

Home Page: http://bketelsen.github.io/crypt/

License: MIT License

Go 97.51% Makefile 2.49%

crypt's Introduction

crypt

This is a maintained fork of the abandoned original

You can use crypt as a command line tool or as a configuration library:

Demo

Watch Kelsey explain crypt in this quick 5 minute video:

Generating gpg keys and keyrings

The crypt cli and config package require gpg keyrings.

Create a key and keyring from a batch file

vim app.batch

%echo Generating a configuration OpenPGP key
Key-Type: default
Subkey-Type: default
Name-Real: app
Name-Comment: app configuration key
Name-Email: [email protected]
Expire-Date: 0
%pubring .pubring.gpg
%secring .secring.gpg
%commit
%echo done

Run the following command:

gpg2 --batch --armor --gen-key app.batch

You should now have two keyrings, .pubring.gpg which contains the public keys, and .secring.gpg which contains the private keys.

Note the private key is not protected by a passphrase.

crypt's People

Contributors

Stargazers

Watchers

crypt's Issues

Alternative implementation with filippo.io/age instead of PGP

Hello,

First of all, thank you for maintaining that fork. The tool, while maybe niche, is very useful.

Last days, while trying to use crypt for one of my projects, I had an idea to replace PGP as it's encryption/decryption engine with modern, purpose-built encryption library age.
The reasons behind that were: 1. troublesome keys management with gpg, 2. deprecation of golang.org/x/crypto/opengpg, 3. apparently general problems with PGP

Working experimental version is available in my fork: https://github.com/warkadiusz/crypt

For compatibility reasons, I did not remove the PGP implementation out of it. Instead, a new flag -encryption-engine is available, accepting either pgp or age as a value, with default being pgp. The implementation at the moment is little dirty, not tested etc., but it's working.

Is this something you would see as a part of crypt? If you'd be interested, I could prepare a proper implementation and open a PR. If your fork is just for security updates/maintenance and not further developments, it's also fine – in this case I'll keep my fork separate.

Thank you and best regards,

vendor "golang.org/x/net/trace" is out of date

Hi,

one of the dependency using "github.com/bketelsen/crypt" which is breaking the build.
Going by the error below vendor package need to be updated.

Thanks
Yoga

Error _log:
panic: /debug/requests is already registered. You may have two independent copies of golang.org/x/net/trace in your binary, trying to maintain separate state. This may involve a vendored copy of golang.org/x/net/trace.

Some packages from coreos changes its locations

Hi, my projects uses crypt/config. go mod tidy shows me:

go: site.io/project/repo/viper/remote imports
        github.com/bketelsen/crypt/config imports
        github.com/bketelsen/crypt/backend/etcd imports
        github.com/coreos/etcd/client tested by
        github.com/coreos/etcd/client.test imports
        github.com/coreos/etcd/integration imports
        github.com/coreos/etcd/etcdserver imports
        github.com/coreos/etcd/mvcc/backend imports
        github.com/coreos/bbolt: github.com/coreos/[email protected]: parsing go.mod:
        module declares its path as: go.etcd.io/bbolt
                but was required as: github.com/coreos/bbolt

At least some repos has changed its locations:

github.com/coreos/bbolt → github.com/etcd-io/bbolt
github.com/coreos/etcd → github.com/etcd-io/etcd

Maybe imports changing from github.com/coreos/bbolt to go.etcd.io/bbolt is needed.

github.com/hashicorp/consul/api v1.1.0 is vulnerable

Please upgrade to 1.9.3, see

https://nvd.nist.gov/vuln/detail/CVE-2020-7219 and
https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations

Security scanners report the latest release of https://github.com/bketelsen/crypt as vulnerable

github.com/yuin/goldmark v1.1.x is considered vulnerable

Hi,
After researching a bit, I found that google.golang.org/[email protected] is cascading to using at least 3 different versions of github.com/yuin/goldmark v1.1.x which leads to this Nexus IQ vulnerability (yuin/goldmark#145)

yuin states that version 1.2.x of goldmark is fixing the issue. And Google has released version 0.50.0 (https://pkg.go.dev/google.golang.org/api)
which we hope uses the latest release of goldmark.

Hope this helps,

Thanks for the amazing work, we all benefit from it!

Add token to Consul API

Hi, I am using Viper in order to use Consul for KV storage. Viper uses crypt in order to connect remote providers. However, I am using ACL in Consul and need to attach token to consul API. Is it possible somehow attach the token to consul API client? Crypt using old version of consul , hence I cannot send token from environment variable.

etcd v3 support

our team is using etcd3 now, can add etcd v3 support?

upgrade go dependencies to fix indirectly imported CVE

While reviewing dependencies on one of our project, i found the following

Extract from go mod graph:

github.com/hashicorp/[email protected] github.com/miekg/[email protected]
github.com/hashicorp/[email protected] github.com/hashicorp/[email protected]
github.com/hashicorp/consul/[email protected] github.com/hashicorp/[email protected]
github.com/bketelsen/[email protected] github.com/hashicorp/consul/[email protected]

github.com/miekg/[email protected] suffers a CVE which is fixed in later versions which are now imported in latest version of github.com/hashicorp/consul/api (v1.14.0)

Upgrading to latest official version of dependencies would fix the issues. I will report to other projects using this module as dependency so they can track the upgrade once it is available here.

[CVE-2020-15114, CVE-2020-15136, CVE-2020-15115] Vulnerabilities in the etcd package < v.3.3.23 or < 3.4.10

Please update the etcd to package to v3.3.23, there is a vulnerability:

go list -json -m all | nancy

Vulnerable Packages

[1/1]	pkg:golang/github.com/coreos/[email protected]
3 known vulnerabilities affecting installed version 
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2020-15114] In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP prox...                                                         ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP                                                             ┃
┃                    ┃ proxy to allow for basic service discovery and access. However, it is                                                                   ┃
┃                    ┃ possible to include the gateway address as an endpoint. This results in a                                                               ┃
┃                    ┃ denial of service, since the endpoint can become stuck in a loop of                                                                     ┃
┃                    ┃ requesting itself until there are no more available file descriptors to                                                                 ┃
┃                    ┃ accept connections on the gateway.                                                                                                      ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ bba60acb-c7b5-4621-af69-f4085a8301d0                                                                                                    ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 7.7/10 (High)                                                                                                                           ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H                                                                                            ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/bba60acb-c7b5-4621-af69-f4085a8301d0?component-type=golang&component-name=github.com%2Fcoreos%2Fetcd ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2020-15136] In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only ap...                                                         ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is                                                                ┃
┃                    ┃ only applied to endpoints detected in DNS SRV records. When starting a                                                                  ┃
┃                    ┃ gateway, TLS authentication will only be attempted on endpoints identified                                                              ┃
┃                    ┃ in DNS SRV records for a given domain, which occurs in the                                                                              ┃
┃                    ┃ discoverEndpoints function. No authentication is performed against                                                                      ┃
┃                    ┃ endpoints provided in the --endpoints flag. This has been fixed in versions                                                             ┃
┃                    ┃ 3.4.10 and 3.3.23 with improved documentation and deprecation of the                                                                    ┃
┃                    ┃ functionality.                                                                                                                          ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ d373dc3f-aa88-483b-b501-20fe5382cc80                                                                                                    ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 6.5/10 (Medium)                                                                                                                         ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N                                                                                            ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/d373dc3f-aa88-483b-b501-20fe5382cc80?component-type=golang&component-name=github.com%2Fcoreos%2Fetcd ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2020-15115] etcd before versions 3.3.23 and 3.4.10 does not perform any password length vali...                                                         ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ etcd before versions 3.3.23 and 3.4.10 does not perform any password length                                                             ┃
┃                    ┃ validation, which allows for very short passwords, such as those with a                                                                 ┃
┃                    ┃ length of one. This may allow an attacker to guess or brute-force users'                                                                ┃
┃                    ┃ passwords with little computational effort.                                                                                             ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ 5def94e5-b89c-4a94-b9c6-ae0e120784c2                                                                                                    ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 5.8/10 (Medium)                                                                                                                         ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N                                                                                            ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/5def94e5-b89c-4a94-b9c6-ae0e120784c2?component-type=golang&component-name=github.com%2Fcoreos%2Fetcd ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                      ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━┫
┃ Audited Dependencies    ┃ 94 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━┫
┃ Vulnerable Dependencies ┃ 1  ┃

outdated etcd version

github.com/bketelsen/crypt/config imports
        github.com/bketelsen/crypt/backend/etcd imports
        github.com/coreos/etcd/client tested by
        github.com/coreos/etcd/client.test imports
        github.com/coreos/etcd/integration imports
        github.com/coreos/etcd/proxy/grpcproxy imports
        google.golang.org/grpc/naming: module google.golang.org/grpc@latest found (v1.39.0), but does not contain package google.golang.org/grpc/naming

etcd v3.5.0 release resolved the issue.

Cannot install

Seems there is a (more than transient?) problem with github.com/xordataexchange/crypt/encoding/secconf's dependencies:

❯ go mod tidy                               
go: finding module for package code.google.com/p/go.crypto/openpgp
        github.com/bketelsen/crypt/config imports
        github.com/xordataexchange/crypt/encoding/secconf imports
        code.google.com/p/go.crypto/openpgp: cannot find module providing package code.google.com/p/go.crypto/openpgp: unrecognized import path "code.google.com/p/go.crypto/openpgp": parse https://code.google.com/p/go.crypto/openpgp?go-get=1: no go-import meta tags (meta tag github.com/golang/go did not match import path code.google.com/p/go.crypto/openpgp)

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.