search

elasticdog / transcrypt

transparently encrypt files within a git repository
MIT License
1.46k stars 102 forks source link

Feature Request: encrypt a file partially only #172

Closed steled closed 11 months ago

steled commented 1 year ago

Hi,

I have no idea how difficult it is to implement but it would be totally awesome to be able to encrypt a file partially only. At least to see non encrypted content but as an addition it would also great to be able to edit non encrypted content without the need to decrypt the whole file.

Thanks & best regards

jmurty commented 11 months ago

Hi, that would be a cool feature but it's not something we will do sorry. It would be very difficult to do, if it's possible at all, so it's not something we will support.

steled commented 4 months ago

Hi,

I created a little workaround for this. I wrote a pre-commit-githook that uses sed to create an partially encrypted *.dec file of the fully encrypted file.

#!/usr/bin/env bash
# sed pre-commit hook: duplicate decrypted sensitive file and redact sensitive informations via sed

tmp=$(mktemp)
IFS=$'\n'
for secret_file in $(git -c core.quotePath=false ls-files | git -c core.quotePath=false check-attr --stdin filter | awk 'BEGIN { FS = ":" }; /crypt$/{ print $1 }'); do
    # Skip symlinks, they contain the linked target file path not plaintext
    if [[ -L $secret_file ]]; then
        continue
    fi

    # extract filename
    filename="${secret_file##*/}"
    # get file extension
    file_extension="${filename##*.}"
    # get filename without extension
    file="${filename%.*}"
    # extract directory
    dir="$(dirname ${secret_file})"

    # if test -f "${dir}/${file}.sed"; then
    if test -f "${dir}/${filename}.sed"; then
        if [ $file_extension == $file ]; then
            sed -f "${dir}/${filename}.sed" $secret_file > "${dir}/${file}_dec"
        else
            sed -f "${dir}/${filename}.sed" $secret_file > "${dir}/${file}.${file_extension}.dec"
        fi
    fi

done
rm -f "${tmp}"
unset IFS

You than just need to create a sed file where you define what should be replaced and the hook than creates with this sed file an *.dec file.

Example

plain file aws-etcd-backup.yaml

apiVersion: v1
kind: Secret
metadata:
  name: dgops-s3-credentials
  namespace: kube-system
type: Opaque
data:
  ACCESS_KEY_ID: TEST_KEY_ID
  SECRET_ACCESS_KEY: TEST_ACCESS_KEY

sed file aws-etcd-backup.yaml.sed

s/\(ACCESS_KEY_ID: \).*/\1<REDACTED>/
s/\(SECRET_ACCESS_KEY: \).*/\1<REDACTED>/

resulting partially decrypted file aws-etcd-backup.yaml.dec

apiVersion: v1
kind: Secret
metadata:
  name: dgops-s3-credentials
  namespace: kube-system
type: Opaque
data:
  ACCESS_KEY_ID: <REDACTED>
  SECRET_ACCESS_KEY: <REDACTED>

Maybe this helps someone.