Closed arohner closed 8 years ago
arohner
commented
9 years ago Mainly I just wanted to avoid the few extra steps of packing & unpacking, because in my current app, there's only one secrets file, so .tar files seemed unnecessary.
What footgun scenarios do you envision that are mitigated by unpack?
codahale
commented
9 years ago My main worry would be making it easier for operators to accidentally leave sensitive data on workstations, laptops, etc.
BTW, your patch references github.com/arohner/sneaker, so it doesn't build.
arohner
commented
9 years ago BTW, your patch references github.com/arohner/sneaker, so it doesn't build.
Sorry, reverted.
My main worry would be making it easier for operators to accidentally leave sensitive data on workstations, laptops, etc.
Maybe I'm fundamentally misunderstanding how this is intended to be used. It seems to me that your intended usage of sneaker is
sneaker upload; sneaker pack; <cp .ctar.enc to new machine> ; sneaker unpack
I intended download to be an usability optimization for the case where you have only one secret file. They seem equivalent to me, except for not going through the .tar step. Is that right?
codahale
commented
9 years ago It's a difference of degree, not of kind.
As it stands, an operator would have to pack a secret and unpack it in order to have an unprotected secret on their laptop.
With this patch, the operator would simply have to run a single command.
As part of a provisioning step it's harmless — it's a simple optimization, as you say — but I'm more concerned about what affordances the feature provides for insecure workflows.
codahale
commented
8 years ago Enough people asked for this that I’m merging this PR.
Thanks for the patch and for your patience.
I'd intentionally left this out, mostly because an easy way to download secrets seemed like a convenient footgun. What use cases did you have in mind?