cryptdo

module

v0.0.0-...-ea797f3 Latest Latest Go to latest Published: Jul 26, 2018 License: BSD-3-Clause

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/xoebus/cryptdo

Links

Open Source Insights

README ¶

                                   ⢀⣀ ⡀⣀ ⡀⢀ ⣀⡀ ⣰⡀ ⢀⣸ ⢀⡀
                                   ⠣⠤ ⠏  ⣑⡺ ⡧⠜ ⠘⠤ ⠣⠼ ⠣⠜

                a simple wrapper for commands which access sensitive files

= about

Occasionally you need to run commands which put sensitive information in files. Then,
through poor life choices, you want to commit those files to a source repository or
something similar. This program will let you transparently decrypt a file, run your
command, and then re-encrypt the file again.

The usage will show how this can be useful.


= usage

First, you need to bootstrap the encryption by encrypting your sensitive files.

    $ cryptdo-boostrap --passphrase hunter2 terraform.tfstate
    $ rm terraform.tfstate

Next, you can run commands which need to access those files by decorating them with
cryptdo. This will decrypt the file, run the command, and then re-encrypt the file with
any changes.

    $ cryptdo --passphrase hunter2 -- terraform apply

If you need to change the key of your encrypted files then the following command is your
friend.

    $ cryptdo-rekey --old hunter2 --new abetterkey


= installation

1. Download the latest release and signature for your architecture from the
   GitHub releases page.

2. Cryptdo uses OpenBSD's signify to sign its releases. You can get my public
   key for this project from: https://xoeb.us/keys/cryptdo.pub

3. Verify the release with the command:

     signify -C -p "path/to/public/key" -x "path/to/signature/file"

   The signature file and the release tarball need to be in the same directory.

4. If the signature matches then you can un-tar the release and copy the
   binaries inside on to your path.


= development

Bazel[1] is used to build and test the project.

    $ bazel build //...
    $ bazel test //...

The compiled executables will be in bazel-bin/cmd/*.

== Why Bazel?

It's important to me that a user can build a byte for byte replica of the
distributed binaries. This requirement is doubly important when using security
software.

[1]: https://bazel.build/


= cryptography

The encryption used is AES-256 in GCM mode with a 12 byte nonce. The nonce is generated
from the Go standard library cryptographically secure random number generator.

The encryption key is derived from the user's passphrase using PBKDF2-HMAC-SHA384. The
hashing function is applied 100,000 times and the salt used is 32 bytes. SHA384 is
used because of the proliferation of specialized hardware to attack SHA256 due to its
use in Bitcoin. The salt is generated from the Go standard library cryptographically
secure random number generator. The salt, nonce, and derivation iteration count are
marshalled together using Protocol Buffers. The definition of the message format is in
this repository.

The encryption key (derived from the user's passphrase) must be rotated before 2^32
encryptions have taken place with a single key. Due to the usage patterns of a tool like
this it is unlikely that this limit will be reached but a `cryptdo-rekey` tool has been
provided, just in case.

Directories ¶

Path	Synopsis
cryptdo
cmd/cryptdo
cmd/cryptdo-bootstrap
cmd/cryptdo-rekey
internal/flag Package flag contains flag unmarshalers for the github.com/jessevdk/go-flags parsing library.	Package flag contains flag unmarshalers for the github.com/jessevdk/go-flags parsing library.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL