Open petems opened 4 years ago
I wonder what the security perspective is here. Maybe @ajvb or @jvehent can chime in. IMO the password you choose is likely to have less entropy, so at least I’d like to have some warnings around this kind of mechanism.
On Sat, 15 Feb 2020 at 12:37, Peter Souter notifications@github.com wrote:
I'm not sure if this is something that the SOPS team is interested in, but I've been meaning to write up a simple library to do symmetric encryption with a password for config files in Golang.
So it looks something like this:
sops --encrypt --password test.yaml > test.enc.yaml Enter your password: Verify password:
Something similar to the code in https://github.com/isfonzar/filecrypt, using GCM and the Golang "golang.org/x/crypto/pbkdf2" library:
key := password nonce := make([]byte, 12)
// Randomizing the nonce if _, err := io.ReadFull(rand.Reader, nonce); err != nil { panic(err.Error()) }
dk := pbkdf2.Key(key, nonce, 4096, 32, sha1.New)
block, err := aes.NewCipher(dk) if err != nil { panic(err.Error()) }
aesgcm, err := cipher.NewGCM(block) if err != nil { panic(err.Error()) }
ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil)
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mozilla/sops/issues/632?email_source=notifications&email_token=AARH4V5AD36TMSC4SUECPZDRC7HXXA5CNFSM4KVX4YGKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4INYOOSQ, or unsubscribe https://github.com/notifications/unsubscribe-auth/AARH4V365YDM4Z3IY42T5SLRC7HXXANCNFSM4KVX4YGA .
@petems I'm not against it, but I'm unsure of the use-case. Using a password with a tool like sops makes a lot of sense for personal use such as with veracrypt, but I'm not familiar with anyone using sops in a personal context and would almost prefer to push those folks towards something like veracrypt.
Do you have a use-case in mind for this?
Veryacrypt seems focused on FDE, which isn't really what I'm looking for.
In my case, I'm trying to reproduce the behaviour of an existing super old app, that asks for a password then decrypts the value from the config file when running. The end users are pretty low-tech so setting up public keys is kinda beyond them...
@ajvb chiming in on the personal use case. I use helm secrets
in my homelab k8s cluster, it would be convenient to be able to use a password instead of dealing with PGP keys for a simple setup like this. I'd be fine with the appropriate warnings about password strength/entropy.
I'm not sure if this is something that the SOPS team is interested in, but I've been meaning to write up a simple library to do symmetric encryption with a password for config files in Golang.
So it looks something like this:
Something similar to the code in https://github.com/isfonzar/filecrypt, using GCM and the Golang "golang.org/x/crypto/pbkdf2" library: