Support passing in a script/command to get the keys rather than reading from a file

prskr / git-age

https://docs.git-age.icb4dc0.de

MIT License

13 stars 0 forks source link

Support passing in a script/command to get the keys rather than reading from a file #6

Open nogweii opened 8 months ago

nogweii commented 8 months ago

This is, for example, to be able to retrieve the age keys from a password manager or other secret storage engine. (In my usecase, from KDE's KWallet. But it could also be replaced with MacOS's Keychain, etc.)

Another option, rather than supporting arbitrary code execution, is to support using a platform's native secret storage. Something like go-keychain.

prskr commented 8 months ago

That is an awesome idea!

I'm only wondering if it makes sense to support this directly in git-age or if it wouldn't be better to implement an age plugin that supports this for all age use cases and implement the plugin API in git-age. I had that already in mind as next step and that would also allow the usage of a Yubikey - besides others.

What do you think?

nogweii commented 8 months ago

Hm, that's a good point. I forgot about the plugin interface! I'll have to see if this exists. If not, maybe I create it. :smile:

prskr commented 8 months ago

I haven't found something like it so far 😄 also I did some more research regarding keyring implementations and 99designs/keyring might be even easier to integrate than the one from keybase.

I'll try to add the plugin support soon ™️ and if you didn't implement the plugin till then I will have a look if I can do it 😄

prskr commented 7 months ago

Just letting you know that I didn't forget this 😄

After giving this problem some more thoughts, I realised that the plugin API isn't really made for what you have in mind. But only supporting native OS keyrings is also not a great perspective because the next issue will then be about supporting password manager XYZ as well 😅 so I'm currently working on an approach similar to the SSH agent based on a gRPC service definition. git-age will then check for som env variable and if properly set up there can be an agent that is either retrieving keys from a keyring or a password manager or some other vault. It'll be possible to implement to those agents in any language that supports gRPC.

I'm already working on a PoC for the OS keyring and probably will also release a similar agent for BitWarden.