elasticdog / transcrypt

transparently encrypt files within a git repository
MIT License
1.48k stars 102 forks source link

Test if password is correct #182

Open andreineculau opened 3 months ago

andreineculau commented 3 months ago

When using the wrong password, you end up with dirty secret files. Beyond checking for dirty secret files after "smudging", how would you check if the password/cipher is correct without touching the workspace?

jmurty commented 2 months ago

Transcrypt isn't built to check for a correct password. To do so, it would need to track extra metadata information to detect successful or failed decryption based on the decrypted file containing or matching that metadata.

The easiest way I can think of to check for a correct password without looking at the resultant workspace files is to create a file with consistent name and known content in your repo(s), run just the smudge command directly with Transcrypt, and confirm the known content is present in the result from the smudge command.

You would need to set the minimum required Transcrypt Git config options for this to work, but you could do it like this (using this repo's _sensitivefile as an example):

# Set Git config options required by transcrypt

git config transcrypt.password 'correct horse battery staple'
git config transcrypt.cipher aes-256-cbc
git config transcrypt.openssl-path openssl

# Run 'smudge' command directly. You must provide:
# - the encrypted file's contents via stdin
# - the context name (default) and the encrypted file's name via command arguments

cat sensitive_file | ./transcrypt smudge context=default sensitive_file

# Check for known content in the decrypted file

cat sensitive_file | ./transcrypt smudge context=default sensitive_file | grep -q '^I just wanna'
# $? == 0

git config transcrypt.password 'wrong password'
cat sensitive_file | ./transcrypt smudge context=default sensitive_file | grep -q '^I just wanna'
# $? == 1