diamondburned
commented
4 years ago I second this.
Golang has decent file encryption libraries; one of which minio/sio which I've been trying. I can probably get a PR in to support basic password encryption on a Nix file somehow if there's a solid plan on doing this.
Hello,
First, thanks for this great project that seems to solve most issues I had with NixOps. There is however a feature I'd love to see before I move my own deploy code to morph : a way to encrypt secrets locally. Indeed, I like to put my secrets in the git repo of my configuration, that way I can work from any places, and if someone access my computer he usually won't be able to run get the passwords.
The way I proceed in my deploy code is as follow : I usually encrypt my file with gpg, and when I deploy it, I check if the file
mysecret.txt.gpgis already on the server. If not, or if the checksum are different, I decrypt the file (morph could just take the decrypt command as a parameter for more flexibility, and the command is expected to write the decrypted file in stdout), copy the decrypted file into the filemysecret.txt, and finally I replace the filemysecret.txt.gpgon the server (order is important, it makes sure that if the connection stops in the middle, re-running the command will put the good password file online). Of course, I'm not pretending it's the only (or even best) solution, and it could also be possible to update secrets based on the last-modified time, but I just chose it because it's pretty robust to clock issues (it's not rare to see a computer with poorly configured clock), while still making sure that decryption happens only when the secret change.One advantage of that method is that as soon as the user is free to choose any decryption method, it could even be possible to encrypt a file with passwords that are given to only some specific teams, or even with more involved scheme based on email's pgp public keys…
What do you think ?
Thanks.