Feature Request: Add possibility to encrypt secret vars using GPG

[lucas-dclrcq]

Bombadil should support secrets for variables (example: user password in a maven setttings template) to avoid committing secret values in a dotfile repository.

Proposal :

Creating secrets :

Bombadil should have a command enabling an user to add a secret variable to a variable file.

Ex: bombadil add-secret --var-file path/to/var/file --var-name maven_password --value mypassword

optionally --value could be replaced by the --ask parameter and bombadil should prompt the user for the secret value

Encrypting/Decrypting

Bombadil should inspire from pass (the standard unix password manager) and use gpg to encrypt/decrypt secret

Bombadil would delegate encrypting/decrypting to gpg, this simplify greatly the management of keys etc..

When bombadil needs to encrypt/unencrypt a variable it should use the default gpg key and eventually prompt the user for the gpg key passphrase if needed.

[oknozor]

• rpgp

  • pros : pure rust implementation (no C runtime dependency)
  • cons : no file system (default key location etc) integration

• gpgme

  • pros : high level binding to gpgme C lib
  • cons : depends on gpgme C library and its development files

We might also use std::process::Command and to this like password store

[oknozor]

• implemented in 04d3a89
• still needs to confirm this is working with pinentry (my gpg cong might be wrong) could you test this by cloning
  and checking out v2.0.0-rc ? ( you might need to change your config according to the readme )

[oknozor]

still needs to implement the following :

bombadil show-secrets

bombadil remove-secret {key}

In the mean time this could still be done via gpg

[oknozor]

impletented in #35