StackExchange / blackbox

Safely store secrets in Git/Mercurial/Subversion
MIT License
6.69k stars 370 forks source link

I would like a parallelized decrypt_all and shred_all #312

Open jose-bonilla opened 4 years ago

jose-bonilla commented 4 years ago

Is this possible and within the scope of what Blackbox is trying to solve? I'd like to take a whack at it if that's alright.

tlimoncelli commented 4 years ago

Sure!

Look at the git history to see an earlier attempt. It only worked in some OSs. You might want to leave the old code in and use the parallel version for OSs that are tested.

tlimoncelli commented 4 years ago

FYI: I'm rewriting blackbox in Go. See the Golang branch. I could use help making the shred command parallel.

jose-bonilla commented 4 years ago

I've done a little bit of work in golang at my current job, but I am not anywhere near proficient. I'd love to get my hands a little dirty in that.

tlimoncelli commented 4 years ago

The go code is pretty stable, but there are a bunch of little things to clean up that I'm working on before I announce it. There's also no packaging. Certainly all the shred and decrypt stuff is stable.

I'd gladly accept the changes to either branch. I guess it depends on if you want to work on something that is going away in 2-3 months, or something that won't be ready for everyone to use for 2-3 months :-). (I'm using the new golang version for all my personal projects. No problems so far!)

jshburkett commented 2 years ago

My apologies for resurrecting an old thread, but is there a current working version of blackbox with a parallelized decrypt_all?

tlimoncelli commented 2 years ago

My apologies for resurrecting an old thread, but is there a current working version of blackbox with a parallelized decrypt_all?

No

Not to be a downer but... I would reject PRs to add that to the bash version of Blackbox. The bash version is brittle enough without adding such complexity. The go version is abandoned (unless @jose-bonilla picks it up).

jshburkett commented 2 years ago

No worries, thank you for the reply! Are you aware of any more basic solutions to the problem of long blackbox decrypt_all's?

tlimoncelli commented 2 years ago

My recommendation is to keep secrets in Conjur, AWS KMS, Azure Key Vault or GCP KMS. Then use Blackbox for encrypting the API keys that let you access that system. Now you are simply encrypting one tiny file.