search

rezzza / vaultage

Keep secrets secret
21 stars 6 forks source link

Vaultage V2 #27

Open stephpy opened 7 years ago

stephpy commented 7 years ago

Hi,

I need to implement some new features that vaultage does not provide at this moment. I could make a PR to add them but I would like to know if you are agree to merge them before.

Needs:

Multi catalogs

V1: we cannot have different backend for 2 files crypted with vaultage V2: we can define catalogs and have a better granularity of user rights.

--write replaced by ! --dry-run

V1: --write to encrypt/decrypt ... V2: --dry-run to not encrypt/decrypt ;) looks a better UX.

I have some other ideas which could be done in v2.x (wildcard filepaths, ...) but the Multi Catalog feature would be BC break.

Here is an example of the multi-catalog feature:

#.vaultage.yaml

catalogs:
    dev:
        backend:
            type: basic
            key: "file:///tmp/pouet.key"
            passphrase: false,
            encrypted_extension: "crypted",
        files: 
            - "app/config/parameters/dev.yml"
    preprod:
        backend:
          type: gpg
          asymetric: false
        files:
            - "app/config/parameters/preprod.yml"
    prod:
        backend:
          type: gpg
          asymetric: true
          recipients:
            - "John Doe <user@domain.tld>"
        files:
            - "app/config/parameters/prod.yml"

we have to choose a format ... this one is not bad too.

files:
  app/config/parameters/dev.yml:     dev
  app/config/parameters/preprod.yml: preprod
  app/config/parameters/prod.yml:    prod
backend:
    dev:
        basic:
            key: "file:///tmp/pouet.key"
            passphrase: false,
            encrypted_extension: "crypted",
    preprod:
        gpg:
          asymetric: false
    prod:
        gpg:
          asymetric: true
          recipients:
            - "John Doe <user@domain.tld>"

Thoughts ?

shouze commented 7 years ago

ok so catalog introduce a new concept, that's it? Is there another way to avoid to introduce it? I would prefer the 2nd solution as it looks like a bit to what vault has done but I'm not sure it has to deal with this yml file.

stephpy commented 7 years ago

I prefer the 2nd solution too.

At this moment, it deals with a json file, we could still use a json file, yaml is a bit easier to read imho.