mikesimons / envelope Goto Github PK
View Code? Open in Web Editor NEWA secrets encryption tool using KMS
License: MIT License
A secrets encryption tool using KMS
License: MIT License
urfave/cli implements positional flags such that envelope --keyring=1234 encrypt
is valid but envelope encrypt --keyring=1234
is not.
This sucks from a UX perspective so we should either make it not do that or move to a different cli library.
To be used for reporting on when secrets (probably) need rotating.
yaml.MapSlice would allow us to preserve key ordering on maps. AFAICT there is no equivalent for json nor toml but one could be implemented with a custom Marshaller/Unmarshaller for each (whenever a map is encountered, produce a MapSlice).
This is likely to be a total breaking change for https://github.com/mikesimons/traverser as we will need to wrap the map type (which is the root type) and thus signatures will need to change ... I think?
Replicate: echo "" | envelope-dev encrypt --in-place --key=test.test file.yml
Expected result: file.yml contains encrypted empty string at test.test
Actual result:
panic: runtime error: index out of range [recovered]
panic: runtime error: index out of range
goroutine 1 [running]:
io/ioutil.readAll.func1(0xc00011f238)
/usr/local/Cellar/go/1.11.2/libexec/src/io/ioutil/ioutil.go:30 +0x105
panic(0x151cbe0, 0x19de170)
/usr/local/Cellar/go/1.11.2/libexec/src/runtime/panic.go:513 +0x1b9
main.(*TrimReader).Read(0xc000057b40, 0xc000190c00, 0x200, 0x200, 0x200, 0x200, 0xc000190c00)
/Users/Mike/go/src/github.com/mikesimons/envelope/cmd/envelope/shared.go:99 +0xfb
bytes.(*Buffer).ReadFrom(0xc0001a73b0, 0x1660f20, 0xc000057b40, 0xc000028e90, 0x7ffeefbffa34, 0x4)
/usr/local/Cellar/go/1.11.2/libexec/src/bytes/buffer.go:206 +0xb4
io/ioutil.readAll(0x1660f20, 0xc000057b40, 0x200, 0x0, 0x0, 0x0, 0x0, 0x0)
/usr/local/Cellar/go/1.11.2/libexec/src/io/ioutil/ioutil.go:36 +0xb5
io/ioutil.ReadAll(0x1660f20, 0xc000057b40, 0x4, 0xc0001a6620, 0x1, 0x0, 0x0)
/usr/local/Cellar/go/1.11.2/libexec/src/io/ioutil/ioutil.go:45 +0x3e
github.com/mikesimons/envelope.(*Envelope).EncryptWithOpts(0xc000180870, 0x7ffeefbffa34, 0x4, 0x1660f20, 0xc000057b40, 0x15bb5a0, 0x1, 0xc00000e120, 0x0, 0x0, ...)
/Users/Mike/go/src/github.com/mikesimons/envelope/encrypt.go:35 +0x9b
github.com/mikesimons/envelope.(*Envelope).InjectEncrypted(0xc000180870, 0x7ffeefbffa34, 0x4, 0x1661260, 0xc00000e120, 0x7ffeefbffa3f, 0xf, 0x1660f20, 0xc000057b40, 0x159d928, ...)
/Users/Mike/go/src/github.com/mikesimons/envelope/inject.go:30 +0x18a
main.encryptCommand.func1(0xc0000e46e0, 0x10100, 0xc0000e46e0)
/Users/Mike/go/src/github.com/mikesimons/envelope/cmd/envelope/encrypt.go:119 +0x391
github.com/mikesimons/envelope/vendor/gopkg.in/urfave/cli%2ev1.HandleAction(0x14f84c0, 0x15bbb10, 0xc0000e46e0, 0xc000098b00, 0x0)
/Users/Mike/go/src/github.com/mikesimons/envelope/vendor/gopkg.in/urfave/cli.v1/app.go:490 +0xc8
github.com/mikesimons/envelope/vendor/gopkg.in/urfave/cli%2ev1.Command.Run(0x159e792, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x15a6223, 0x18, 0x0, ...)
/Users/Mike/go/src/github.com/mikesimons/envelope/vendor/gopkg.in/urfave/cli.v1/command.go:210 +0x990
github.com/mikesimons/envelope/vendor/gopkg.in/urfave/cli%2ev1.(*App).Run(0xc00013d380, 0xc00001e080, 0x8, 0x8, 0x0, 0x0)
/Users/Mike/go/src/github.com/mikesimons/envelope/vendor/gopkg.in/urfave/cli.v1/app.go:255 +0x687
main.main()
/Users/Mike/go/src/github.com/mikesimons/envelope/cmd/envelope/main.go:44 +0x425
Specifically we want to be able to store the ARN of the key used to generate a data key so that KMS key usage can be audited.
Travis config should run all tests and publish binaries on tags.
As we're dealing with binary payloads stripping anything is inappropriate.
Workaround is to manually specify --no-trim
if encrypting a blob.
As title; 1 file for all release binaries is fine
Right now we default to replacing values with the default-error-value strategy.
We have 3 error handling options for decrypt:
Internally we also have the option to fail on decrypt but this is not exposed as an option. It's also possible to specify multiple of these options but only one will take effect.
We should replace the unset / ignore options with --error-strategy
or such that takes one of replace
, unset
, ignore
, exit
. Where replace strategy is used we should use --error-value
to specify the replacement (but default to ERROR
as we do now).
It would be nice to be able to rotate data keys or replace a data key.
I'd propose that:
replacement_key_id
field added to key (in keyring)replacement_key_id
set to id of new key on old keyTo this point we have key replacement but not automatic rotation.
Automatic rotation would need to (upon encountering an encrypted field):
replacement_key_id
replacement_key_id
check until we find a key that isn't replacedFor example: echo "secret" | envelope encrypt --into-file target.yaml --key path/to/key
. This would write the encrypted value of secret
to path: { to: { key: "..." } }
.
Simplest implementation would probably be adding support for navigating to a (potentially non-existent) path in mikesimons/traverser or using kikinteractive/go-optikon.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.