Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bitw as a dotfiles secrets store #16

Closed
sentriz opened this issue Apr 18, 2020 · 3 comments
Closed

bitw as a dotfiles secrets store #16

sentriz opened this issue Apr 18, 2020 · 3 comments

Comments

@sentriz
Copy link

sentriz commented Apr 18, 2020

Hi! thanks for bitw, I like what I've used so far, except I have a question.

My dotfiles require some secrets - for example imgur api key for a screenshot tool, bank api keys for a bank balance applet, smtp passwords, etc.

I keep all these as encrypted gpg files in a syncthing mount, and wrote a little wrapper.
eg $ secret imgur_api_key or $ secret bank_api_key.

it does a simple gpg --decrypt, and prints to stdout. the nice thing about this is that "pinenty-gnome3" pops up asking for the passphase and caches it. so once booting, many of my dotfiles will subshell secret, and the first will trigger the gui passphrase prompt, but they'll all get their secret.

It think it would be cool to use bitw instead, perhaps replacing my $ secret with $ secret-tool and $ bitw serve for my dotfiles scripts. but I would be nice to have this gui password box for perhaps my bitwarden password.

so the question is

  1. do you use bitw for dotfile secrets or equivalent?
  2. if so what about the terminal password prompt? in my case I don't think it's do-able because the scripts that would subshell secret-tool can't give the password

thank you!
@mvdan
Copy link
Owner

mvdan commented Apr 18, 2020

Thanks for filing this issue! This use case was actually precisely mine, when first writing this tool. I already use Bitwarden's firefox extension, so the only areas on my laptop which aren't covered are mainly command-line programs and scripts.

I don't use it this way, yet. I got far enough to make it functional, but two things are missing to my mind:

  1. Implement the dbus protocol better. Right now, we only support passing secrets around in dbus in plaintext. There was a TODO for this, but not an issue, so I've raised support dbus service encryption algorithms other than "plain" #17.
  2. Support password prompts which aren't on the terminal. This is Support a graphical prompt #4.

For the sake of usability, I think we should also have PIN unlocking (#7), as well as remembering the password/PIN for a configurable amount of time, like fifteen minutes (no issue filed for this yet).

All this stuff is definitely on my radar, but I jump between projects all the time. If you want to help with any of these issues, help is more than welcome - just be sure to add tests :)

@sentriz
Copy link
Author

sentriz commented Apr 18, 2020

ahh didn't see those issues. great to see them, they're describing exactly what I'm looking for :)
thanks for your work - I'll be keeping an eye on the repo and mess about the with source

@mvdan
Copy link
Owner

mvdan commented Nov 28, 2020

For the sake of keeping this thread updated, #17 is now fixed, so the D-Bus server should no longer pass secrets around in plaintext.

The other two issues are still open, though at least they don't concern the daemon having decent security.

I'll close this issue for now, since all other ideas are covered by those two issues. Feel free to leave comments on those. Thanks!

@mvdan mvdan closed this as completed Nov 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mvdan @sentriz