search

twpayne / chezmoi

Manage your dotfiles across multiple diverse machines, securely.
https://www.chezmoi.io/
MIT License
12.9k stars 478 forks source link

chezmoi secret keyring list #3028

Closed owittek closed 1 year ago

owittek commented 1 year ago

Is your feature request related to a problem? Please describe.

When working with secrets it's hard to keep track which secrets I've set on which machine and what their values are.

Describe the solution you'd like

I'm not sure how other secret/password managers would be handled but for the usage of keyring it be helpful to have something like:

chezmoi secret keyring list to get all services and their users chezmoi secret keyring list --show-secrets to also list the secret values chezmoi secret keyring list --service github to list all the users for a specific service

Describe alternatives you've considered

Considering that most other cli tools do something similar (e.g. pip & npm to list settings) I think this is the sanest solution, not sure how else this could be implemented.

halostatue commented 1 year ago

I do not believe that this is possible.

I’m looking at the security command on macOS and I don’t see a way of getting a list of entries and the find-generic-password subcommand does not appear to understand any sort of wildcards.

Even if this were possible, it would need to be implemented upstream in https://github.com/zalando/go-keyring before it could be taken advantage of by chezmoi.

The chezmoi secret keyring functionality shouldn’t be considered a password manager and should instead be used to backstop more purpose-suited options, as it exclusively works with *-generic-password subcommands on security(1) on macOS and uses GNOME keyring on Linux (and there is no Windows implementation as far as I can tell).

twpayne commented 1 year ago

+1 on what @halostatue stays.

The correct solution is here is to use a password manager which manages your secrets across multiple machines.

halostatue commented 1 year ago

Which is not to say it wouldn’t be a good idea. There’s just not a way to do it with the underlying tools.

owittek commented 1 year ago

I didn't want to expose access to my password manager to the shell so I chose to use keyring instead.

Thanks for the input!

twpayne commented 1 year ago

Another alternative is to configure encryption and use the decrypt template function in your templates. This gives you a poor man's password cross-platform password manager with the secrets encrypted with either age or gpg.