Closed Amolith closed 9 months ago
twpayne
commented
9 months ago I think the best solution would be allowing users to pick whatever encryption/decryption system they prefer;
This is already supported through the custom secret manager template functions. Is there something missing from this?
Amolith
commented
9 months ago Unless I misunderstand, that would require storing the entire config file in my secret manager, and even then, templating wouldn't work, right?
Amolith
commented
9 months ago Storing the config in my secret manager would mean it doesn't benefit from VCS either
twpayne
commented
9 months ago Unless I misunderstand, that would require storing the entire config file in my secret manager, and even then, templating wouldn't work, right?
I think you misunderstand. Only secrets need to be stored in your password manager. Have you read https://www.chezmoi.io/user-guide/password-managers/ ?
Amolith
commented
9 months ago Yes and I already use a password manager with chezmoi. This issue is about encryption and decryption, for which chezmoi currently only supports GPG and age. I'm suggesting supporting arbitrary encryption/decryption tools, not arbitrary password managers.
twpayne
commented
9 months ago Ah, my apologies, I was distracted with too many issues at once and misunderstood. My bad.
Right now, chezmoi has the output template function which should allow you to include output from rage.
chezmoi has an internal encryption abstraction. It should be fairly straightforward to support arbitrary encryption/decryption tools here.
What would you like the interface to look like? Presumably there should be something like:
encryption = "custom"
[encryption.custom.encrypt]
command = "rage"
args = ["--encrypt"] # made up example, real args would be more complex
[encryption.custom.decrypt]
command = "rage"
args = ["--decrypt"] # made up example, real args would be more complexAh, my apologies, I was distracted with too many issues at once and misunderstood. My bad.
It's perfectly alright, I understand completely :)
What would you like the interface to look like? Presumably there should be something like:
I think something along those lines should be perfectly sufficient.
Maybe it would be good to allow the user to specify where in the command the file path should go? I think GPG, age, and rage all expect the path to be very last; I don't know of any tools that do it differently, so supporting that might be unnecessary extra work.
twpayne
commented
9 months ago Maybe it would be good to allow the user to specify where in the command the file path should go?
For this, we can use the same technique of templates as used in custom diff tools.
twpayne
commented
9 months ago Alternatively, adding support for just rage, which does have a GUI prompt through
pinentry, would solve my problem.
Thinking more about this, is rage a drop-in replacement for age? i.e. can you put
[age]
command = "rage"in your config file? I haven't tested this.
Amolith
commented
9 months ago With brief testing, that works exactly as you'd expect! :D
I still think the feature could be useful, but this isn't an issue for me any more :)
twpayne
commented
9 months ago Thanks for testing! I'll add some tests to check that chezmoi works with age.command = "rage" to resolve this issue.
Is your feature request related to a problem? Please describe.
I run chezmoi mostly-non-interactively with darkman as part of an automated theme switching workflow. It worked wonderfully with GPG because there's a GUI prompt for the GPG passphrase; the script kicks off in the background and sends me a notification, so when the prompt appears a second later, I know what it's for, enter the PIN, and the rest executes without error. Since switching to age, however, it's much more painful because neither upstream age nor age bundled with chezmoi open that GUI prompt, so the script fails. I have to interactively switch themes from inside a shell because decryption immediately fails when there's no console.
I also can't use the age version bundled with chezmoi because it doesn't integrate with age-plugin-yubikey at all.
Describe the solution you'd like
I think the best solution would be allowing users to pick whatever encryption/decryption system they prefer; they could just specify the two commands for encryption/decryption with a
$FILEPATHvariable or something that chezmoi fills in before execution.Describe alternatives you've considered
Alternatively, adding support for just rage, which does have a GUI prompt through
pinentry, would solve my problem.