-
Notifications
You must be signed in to change notification settings - Fork 501
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support arbitrary encryption/decryption tools #3503
Comments
This is already supported through the custom secret manager template functions. Is there something missing from this? |
Unless I misunderstand, that would require storing the entire config file in my secret manager, and even then, templating wouldn't work, right? |
Storing the config in my secret manager would mean it doesn't benefit from VCS either |
I think you misunderstand. Only secrets need to be stored in your password manager. Have you read https://www.chezmoi.io/user-guide/password-managers/ ? |
Yes and I already use a password manager with chezmoi. This issue is about encryption and decryption, for which chezmoi currently only supports GPG and age. I'm suggesting supporting arbitrary encryption/decryption tools, not arbitrary password managers. |
Ah, my apologies, I was distracted with too many issues at once and misunderstood. My bad. Right now, chezmoi has the chezmoi has an internal encryption abstraction. It should be fairly straightforward to support arbitrary encryption/decryption tools here. What would you like the interface to look like? Presumably there should be something like:
|
It's perfectly alright, I understand completely :)
I think something along those lines should be perfectly sufficient. Maybe it would be good to allow the user to specify where in the command the file path should go? I think GPG, age, and rage all expect the path to be very last; I don't know of any tools that do it differently, so supporting that might be unnecessary extra work. |
For this, we can use the same technique of templates as used in custom diff tools. |
Thinking more about this, is [age]
command = "rage" in your config file? I haven't tested this. |
Thanks for testing! I'll add some tests to check that chezmoi works with |
Is your feature request related to a problem? Please describe.
I run chezmoi mostly-non-interactively with darkman as part of an automated theme switching workflow. It worked wonderfully with GPG because there's a GUI prompt for the GPG passphrase; the script kicks off in the background and sends me a notification, so when the prompt appears a second later, I know what it's for, enter the PIN, and the rest executes without error. Since switching to age, however, it's much more painful because neither upstream age nor age bundled with chezmoi open that GUI prompt, so the script fails. I have to interactively switch themes from inside a shell because decryption immediately fails when there's no console.
I also can't use the age version bundled with chezmoi because it doesn't integrate with age-plugin-yubikey at all.
Describe the solution you'd like
I think the best solution would be allowing users to pick whatever encryption/decryption system they prefer; they could just specify the two commands for encryption/decryption with a
$FILEPATH
variable or something that chezmoi fills in before execution.Describe alternatives you've considered
Alternatively, adding support for just rage, which does have a GUI prompt through
pinentry
, would solve my problem.The text was updated successfully, but these errors were encountered: