mikesimons / envelope Goto Github PK

As we're dealing with binary payloads stripping anything is inappropriate.

Workaround is to manually specify --no-trim if encrypting a blob.

yaml.MapSlice would allow us to preserve key ordering on maps. AFAICT there is no equivalent for json nor toml but one could be implemented with a custom Marshaller/Unmarshaller for each (whenever a map is encountered, produce a MapSlice).

This is likely to be a total breaking change for https://github.com/mikesimons/traverser as we will need to wrap the map type (which is the root type) and thus signatures will need to change ... I think?

Travis config should run all tests and publish binaries on tags.

• Setting up KMS & IAM
• Example EC2 instance policy
• Example IAM policies (using multiple EncryptionContext)
• Adding keys (using multiple EncryptionContext)
• Encrypting secrets
• Keyring

As title; 1 file for all release binaries is fine

It would be nice to be able to rotate data keys or replace a data key.

I'd propose that:

• replacement_key_id field added to key (in keyring)
• replacement_key_id set to id of new key on old key
• alias is removed from old key
• alias is added to new key

To this point we have key replacement but not automatic rotation.

Automatic rotation would need to (upon encountering an encrypted field):

• Get the encryption key by id and check replacement_key_id
• If set:
  • Get the replacement key. Loop replacement_key_id check until we find a key that isn't replaced
  • Decrypt the value with the old key and encrypt with the new one

Replicate: echo "" | envelope-dev encrypt --in-place --key=test.test file.yml
Expected result: file.yml contains encrypted empty string at test.test
Actual result:

panic: runtime error: index out of range [recovered]
	panic: runtime error: index out of range

goroutine 1 [running]:
io/ioutil.readAll.func1(0xc00011f238)
	/usr/local/Cellar/go/1.11.2/libexec/src/io/ioutil/ioutil.go:30 +0x105
panic(0x151cbe0, 0x19de170)
	/usr/local/Cellar/go/1.11.2/libexec/src/runtime/panic.go:513 +0x1b9
main.(*TrimReader).Read(0xc000057b40, 0xc000190c00, 0x200, 0x200, 0x200, 0x200, 0xc000190c00)
	/Users/Mike/go/src/github.com/mikesimons/envelope/cmd/envelope/shared.go:99 +0xfb
bytes.(*Buffer).ReadFrom(0xc0001a73b0, 0x1660f20, 0xc000057b40, 0xc000028e90, 0x7ffeefbffa34, 0x4)
	/usr/local/Cellar/go/1.11.2/libexec/src/bytes/buffer.go:206 +0xb4
io/ioutil.readAll(0x1660f20, 0xc000057b40, 0x200, 0x0, 0x0, 0x0, 0x0, 0x0)
	/usr/local/Cellar/go/1.11.2/libexec/src/io/ioutil/ioutil.go:36 +0xb5
io/ioutil.ReadAll(0x1660f20, 0xc000057b40, 0x4, 0xc0001a6620, 0x1, 0x0, 0x0)
	/usr/local/Cellar/go/1.11.2/libexec/src/io/ioutil/ioutil.go:45 +0x3e
github.com/mikesimons/envelope.(*Envelope).EncryptWithOpts(0xc000180870, 0x7ffeefbffa34, 0x4, 0x1660f20, 0xc000057b40, 0x15bb5a0, 0x1, 0xc00000e120, 0x0, 0x0, ...)
	/Users/Mike/go/src/github.com/mikesimons/envelope/encrypt.go:35 +0x9b
github.com/mikesimons/envelope.(*Envelope).InjectEncrypted(0xc000180870, 0x7ffeefbffa34, 0x4, 0x1661260, 0xc00000e120, 0x7ffeefbffa3f, 0xf, 0x1660f20, 0xc000057b40, 0x159d928, ...)
	/Users/Mike/go/src/github.com/mikesimons/envelope/inject.go:30 +0x18a
main.encryptCommand.func1(0xc0000e46e0, 0x10100, 0xc0000e46e0)
	/Users/Mike/go/src/github.com/mikesimons/envelope/cmd/envelope/encrypt.go:119 +0x391
github.com/mikesimons/envelope/vendor/gopkg.in/urfave/cli%2ev1.HandleAction(0x14f84c0, 0x15bbb10, 0xc0000e46e0, 0xc000098b00, 0x0)
	/Users/Mike/go/src/github.com/mikesimons/envelope/vendor/gopkg.in/urfave/cli.v1/app.go:490 +0xc8
github.com/mikesimons/envelope/vendor/gopkg.in/urfave/cli%2ev1.Command.Run(0x159e792, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x15a6223, 0x18, 0x0, ...)
	/Users/Mike/go/src/github.com/mikesimons/envelope/vendor/gopkg.in/urfave/cli.v1/command.go:210 +0x990
github.com/mikesimons/envelope/vendor/gopkg.in/urfave/cli%2ev1.(*App).Run(0xc00013d380, 0xc00001e080, 0x8, 0x8, 0x0, 0x0)
	/Users/Mike/go/src/github.com/mikesimons/envelope/vendor/gopkg.in/urfave/cli.v1/app.go:255 +0x687
main.main()
	/Users/Mike/go/src/github.com/mikesimons/envelope/cmd/envelope/main.go:44 +0x425

• Report showing which values are encrypted, with which key and at what time
• Report showing arn + context used to generate keys in keyring and when they were generated

urfave/cli implements positional flags such that envelope --keyring=1234 encrypt is valid but envelope encrypt --keyring=1234 is not.

This sucks from a UX perspective so we should either make it not do that or move to a different cli library.

Right now we default to replacing values with the default-error-value strategy.
We have 3 error handling options for decrypt:

• unset-errors
• default-error-value
• ignore-errors

Internally we also have the option to fail on decrypt but this is not exposed as an option. It's also possible to specify multiple of these options but only one will take effect.

We should replace the unset / ignore options with --error-strategy or such that takes one of replace, unset, ignore, exit. Where replace strategy is used we should use --error-value to specify the replacement (but default to ERROR as we do now).

Specifically we want to be able to store the ARN of the key used to generate a data key so that KMS key usage can be audited.

To be used for reporting on when secrets (probably) need rotating.

For example: echo "secret" | envelope encrypt --into-file target.yaml --key path/to/key. This would write the encrypted value of secret to path: { to: { key: "..." } }.

Simplest implementation would probably be adding support for navigating to a (potentially non-existent) path in mikesimons/traverser or using kikinteractive/go-optikon.