search

getsops / sops

Simple and flexible tool for managing secrets
https://getsops.io/
Mozilla Public License 2.0
16.34k stars 858 forks source link

[Feature Request] Symmetric config encryption with password #632

Open petems opened 4 years ago

petems commented 4 years ago

I'm not sure if this is something that the SOPS team is interested in, but I've been meaning to write up a simple library to do symmetric encryption with a password for config files in Golang.

So it looks something like this: 

sops --encrypt --password test.yaml > test.enc.yaml
Enter your password: 
Verify password:

Something similar to the code in https://github.com/isfonzar/filecrypt, using GCM and the Golang "golang.org/x/crypto/pbkdf2" library:

    key := password
    nonce := make([]byte, 12)

    // Randomizing the nonce
    if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
        panic(err.Error())
    }

    dk := pbkdf2.Key(key, nonce, 4096, 32, sha1.New)

    block, err := aes.NewCipher(dk)
    if err != nil {
        panic(err.Error())
    }

    aesgcm, err := cipher.NewGCM(block)
    if err != nil {
        panic(err.Error())
    }

    ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil)
autrilla commented 4 years ago

I wonder what the security perspective is here. Maybe @ajvb or @jvehent can chime in. IMO the password you choose is likely to have less entropy, so at least I’d like to have some warnings around this kind of mechanism.

On Sat, 15 Feb 2020 at 12:37, Peter Souter notifications@github.com wrote:

I'm not sure if this is something that the SOPS team is interested in, but I've been meaning to write up a simple library to do symmetric encryption with a password for config files in Golang.

So it looks something like this:

sops --encrypt --password test.yaml > test.enc.yaml Enter your password: Verify password:

Something similar to the code in https://github.com/isfonzar/filecrypt, using GCM and the Golang "golang.org/x/crypto/pbkdf2" library:

key := password nonce := make([]byte, 12)

// Randomizing the nonce if _, err := io.ReadFull(rand.Reader, nonce); err != nil { panic(err.Error()) }

dk := pbkdf2.Key(key, nonce, 4096, 32, sha1.New)

block, err := aes.NewCipher(dk) if err != nil { panic(err.Error()) }

aesgcm, err := cipher.NewGCM(block) if err != nil { panic(err.Error()) }

ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mozilla/sops/issues/632?email_source=notifications&email_token=AARH4V5AD36TMSC4SUECPZDRC7HXXA5CNFSM4KVX4YGKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4INYOOSQ, or unsubscribe https://github.com/notifications/unsubscribe-auth/AARH4V365YDM4Z3IY42T5SLRC7HXXANCNFSM4KVX4YGA .

ajvb commented 4 years ago

@petems I'm not against it, but I'm unsure of the use-case. Using a password with a tool like sops makes a lot of sense for personal use such as with veracrypt, but I'm not familiar with anyone using sops in a personal context and would almost prefer to push those folks towards something like veracrypt.

Do you have a use-case in mind for this?

petems commented 4 years ago

Veryacrypt seems focused on FDE, which isn't really what I'm looking for.

In my case, I'm trying to reproduce the behaviour of an existing super old app, that asks for a password then decrypts the value from the config file when running. The end users are pretty low-tech so setting up public keys is kinda beyond them...

gclawes commented 3 years ago

@ajvb chiming in on the personal use case. I use helm secrets in my homelab k8s cluster, it would be convenient to be able to use a password instead of dealing with PGP keys for a simple setup like this. I'd be fine with the appropriate warnings about password strength/entropy.