search

twpayne / chezmoi

Manage your dotfiles across multiple diverse machines, securely.
https://www.chezmoi.io/
MIT License
13.36k stars 493 forks source link

Storage of encrypted docker secrets #2879

Closed joshoram80 closed 1 year ago

joshoram80 commented 1 year ago

What exactly are you trying to do?

I want to have my docker secrets encrypted and managed by chezmoi along with the rest of my HTPC setup.

What have you tried so far?

The secrets directory and files have permissions 600 and owned by root for security. The files are added to chezmoi with chezmoi add --encrypt and are added to the source with 'encrypted' and 'private'. All good so far.

I have run_before and run_after scripts that change permissions of the secrets folder temporarily to allow chezmoi access to decrypt the .age files into the secrets folder, and then set the correct ownership and permissions back to 600 root:root

If I want to add a new secret to chezmoi, I have to change perms back to 755 and chown to my username. Fiddly but doable.

chezmoi apply works fine as well. Perms are set, files are decrypted into the directory and set to 600 as required, and ownership is set back to root.

The issue is that chezmoi diff and\or re-add do not work because the secrets folder is owned by root at this point with 600 perms.

Is there a better way to achieve what I want to do.

Output of chezmoi doctor

```console $ chezmoi doctor RESULT CHECK MESSAGE ok version v2.15.1, commit 462e547efc45432edd6fc9b13bd97a7e51e37f58, built at 2022-04-10T17:54:04Z, built by goreleaser warning latest-version v2.32.0 ok os-arch linux/amd64 (openSUSE Tumbleweed) ok uname Linux HTPC 6.2.1-1-default #1 SMP PREEMPT_DYNAMIC Mon Feb 27 11:39:51 UTC 2023 (69e0e95) x86_64 x86_64 x86_64 GNU/Linux ok go-version go1.18 (gc) ok executable ~/bin/chezmoi ok upgrade-method replace-executable ok config-file ~/.config/chezmoi/chezmoi.toml ok source-dir ~/.local/share/chezmoi is a directory ok suspicious-entries no suspicious entries ok working-tree ~/.local/share/chezmoi is a directory ok dest-dir ~ is a directory ok shell-command found /usr/bin/zsh ok shell-args /usr/bin/zsh ok cd-command found /usr/bin/zsh ok cd-args /usr/bin/zsh ok edit-command found /usr/bin/nano ok edit-args /usr/bin/nano info diff-command not set ok umask 022 ok git-command found /usr/bin/git, version 2.39.2 ok merge-command found /usr/bin/vimdiff warning age-command found /usr/bin/age, cannot parse version from (devel) ok gpg-command found /usr/bin/gpg, version 2.3.8 info pinentry-command not set info 1password-command op not found in $PATH info bitwarden-command bw not found in $PATH info gopass-command gopass not found in $PATH info keepassxc-command keepassxc-cli not found in $PATH info keepassxc-db not set info lastpass-command lpass not found in $PATH ok pass-command found /usr/bin/pass, version 1.7.4 info vault-command vault not found in $PATH info secret-command not set ```

Additional context

Add any other context about the problem here.

halostatue commented 1 year ago

I don’t understand your system here or what you’re trying to accomplish.

If you have sudo access to be able to change the ownership and permissions of unencrypted secrets, and you’re not on a multi-user machine, your user is effectively the same as root and you‘re creating pain for maintenance with no measurable security benefit. If you’re on a multi-user machine, then you are giving away the secrets to whomever does have root access with essentially no fences at all.

As far as what you’re doing, you’re pushing the boundaries of what chezmoi is intended to do, and as you have seen, scripts don’t run before/after diff, merge-all, etc.

In order to try to help you better with this, can you answer the following questions?

  1. What sort of docker secrets are you talking about?
  2. What is your threat model? That is, what attack mode are you trying to protect your docker secrets from?
joshoram80 commented 1 year ago

The docker secrets are things like passwords and API keys. They are being stored in my dotfiles repository mainly as a backup along with the rest of my home server configuration.

The permissions on the files are more of a 'just in case' scenario. I guess technically they don't need to be private and owned by root on the server.

On Wed, 22 Mar 2023, 1:40 am Austin Ziegler, @.***> wrote:

I don’t understand your system here or what you’re trying to accomplish.

If you have sudo access to be able to change the ownership and permissions of unencrypted secrets, and you’re not on a multi-user machine, your user is effectively the same as root and you‘re creating pain for maintenance with no measurable security benefit. If you’re on a multi-user machine, then you are giving away the secrets to whomever does have root access with essentially no fences at all.

As far as what you’re doing, you’re pushing the boundaries of what chezmoi is intended to do, and as you have seen, scripts don’t run before/after diff, merge-all, etc.

In order to try to help you better with this, can you answer the following questions?

  1. What sort of docker secrets are you talking about?
  2. What is your threat model? That is, what attack mode are you trying to protect your docker secrets from?

— Reply to this email directly, view it on GitHub https://github.com/twpayne/chezmoi/issues/2879#issuecomment-1477961223, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAP7FG65HT7NPS2ARFEHDQDW5G4VTANCNFSM6AAAAAAWB6IPAY . You are receiving this because you authored the thread.Message ID: @.***>

halostatue commented 1 year ago

The docker secrets are things like passwords and API keys. They are being stored in my dotfiles repository mainly as a backup along with the rest of my home server configuration.

That's sensible enough, although I would probably use 1Password secret injection or something similar for running Docker and/or setting up the configuration files.

The permissions on the files are more of a 'just in case' scenario. I guess technically they don't need to be private and owned by root on the server.

So this is on a home server where you log in as user X to manage the server, and your running Docker images are configured to look for various API keys and such in ~x/docker-secrets/…, but right now you do chown root:root -R ~x/docker-secrets && chmod 0700 ~x/docker-secrets after writing them.

Especially if you’re not logged onto the server all the time, I would absolutely skip the chown dance (chezmoi can already handle most of the chmod as long as the user is yourself by naming it private_docker-secrets in the source state). If you are logged into the server all the time. If you’re worried about applications that you are running from doing this, I would set up a different chezmoi dotfiles repo and either make it deployed by root (this is allowed) or by a different, non-privileged user (this would be preferred).

joshoram80 commented 1 year ago

I actually do something similar to 1Password Injection for pretty much any secret that is not supported by a Docker container. I use 'pass' and the built-in chezmoi integration to inject passwords and keys into the docker .env file using a chezmoi template.

I already have my .password-store folder under version control as it is encrypted by default.

On Wed, 22 Mar 2023, 10:51 am Austin Ziegler, @.***> wrote:

The docker secrets are things like passwords and API keys. They are being stored in my dotfiles repository mainly as a backup along with the rest of my home server configuration.

That's sensible enough, although I would probably use 1Password secret injection https://developer.1password.com/docs/cli/secrets-config-files/ or something similar for running Docker and/or setting up the configuration files.

The permissions on the files are more of a 'just in case' scenario. I guess technically they don't need to be private and owned by root on the server.

So this is on a home server where you log in as user X to manage the server, and your running Docker images are configured to look for various API keys and such in ~x/docker-secrets/…, but right now you do chown root:root -R ~x/docker-secrets && chmod 0700 ~x/docker-secrets after writing them.

Especially if you’re not logged onto the server all the time, I would absolutely skip the chown dance (chezmoi can already handle most of the chmod as long as the user is yourself by naming it private_docker-secrets in the source state). If you are logged into the server all the time. If you’re worried about applications that you are running from doing this, I would set up a different chezmoi dotfiles repo and either make it deployed by root (this is allowed) or by a different, non-privileged user (this would be preferred).

— Reply to this email directly, view it on GitHub https://github.com/twpayne/chezmoi/issues/2879#issuecomment-1478736728, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAP7FG2D3OFQO4BCXDQO6S3W5I5G3ANCNFSM6AAAAAAWB6IPAY . You are receiving this because you authored the thread.Message ID: @.***>

twpayne commented 1 year ago

+1 on everything that @halostatue wrote.

Hopefully this is now resolved. Please re-open if needed.