Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: encrypt a file partially only #172

Closed
steled opened this issue Aug 25, 2023 · 2 comments
Closed

Feature Request: encrypt a file partially only #172

steled opened this issue Aug 25, 2023 · 2 comments

Comments

@steled
Copy link

steled commented Aug 25, 2023

Hi,

I have no idea how difficult it is to implement but it would be totally awesome to be able to encrypt a file partially only.
At least to see non encrypted content but as an addition it would also great to be able to edit non encrypted content without the need to decrypt the whole file.

Thanks & best regards
@jmurty
Copy link
Collaborator

jmurty commented Oct 25, 2023

Hi, that would be a cool feature but it's not something we will do sorry. It would be very difficult to do, if it's possible at all, so it's not something we will support.

@jmurty jmurty closed this as completed Oct 25, 2023
@steled
Copy link
Author

steled commented May 14, 2024

Hi,

I created a little workaround for this.
I wrote a pre-commit-githook that uses sed to create an partially encrypted *.dec file of the fully encrypted file.

#!/usr/bin/env bash
# sed pre-commit hook: duplicate decrypted sensitive file and redact sensitive informations via sed

tmp=$(mktemp)
IFS=$'\n'
for secret_file in $(git -c core.quotePath=false ls-files | git -c core.quotePath=false check-attr --stdin filter | awk 'BEGIN { FS = ":" }; /crypt$/{ print $1 }'); do
    # Skip symlinks, they contain the linked target file path not plaintext
    if [[ -L $secret_file ]]; then
        continue
    fi

    # extract filename
    filename="${secret_file##*/}"
    # get file extension
    file_extension="${filename##*.}"
    # get filename without extension
    file="${filename%.*}"
    # extract directory
    dir="$(dirname ${secret_file})"

    # if test -f "${dir}/${file}.sed"; then
    if test -f "${dir}/${filename}.sed"; then
        if [ $file_extension == $file ]; then
            sed -f "${dir}/${filename}.sed" $secret_file > "${dir}/${file}_dec"
        else
            sed -f "${dir}/${filename}.sed" $secret_file > "${dir}/${file}.${file_extension}.dec"
        fi
    fi

done
rm -f "${tmp}"
unset IFS

You than just need to create a sed file where you define what should be replaced and the hook than creates with this sed file an *.dec file.

Example

plain file aws-etcd-backup.yaml

apiVersion: v1
kind: Secret
metadata:
  name: dgops-s3-credentials
  namespace: kube-system
type: Opaque
data:
  ACCESS_KEY_ID: TEST_KEY_ID
  SECRET_ACCESS_KEY: TEST_ACCESS_KEY

sed file aws-etcd-backup.yaml.sed

s/\(ACCESS_KEY_ID: \).*/\1<REDACTED>/
s/\(SECRET_ACCESS_KEY: \).*/\1<REDACTED>/

resulting partially decrypted file aws-etcd-backup.yaml.dec

apiVersion: v1
kind: Secret
metadata:
  name: dgops-s3-credentials
  namespace: kube-system
type: Opaque
data:
  ACCESS_KEY_ID: <REDACTED>
  SECRET_ACCESS_KEY: <REDACTED>

Maybe this helps someone.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmurty @steled