Support for custom IV

[guitmz]

While I know that this is debatable, I have some scenarios where I would not like the file to physically change every time I encrypt it.

As example, if I run kubesec encrypt myfile, twice the output is not the same and I would like to have it to be the same.

The use case for this is something similar as git-crypt, where the encryption is deterministic (which is required so git can distinguish when a file has and hasn't changed).

Thanks

[shyiko]

Hi.

I see you filed a similar question in getsops/sops#315.
As kubesec is using the same AES-GCM, everything mentioned in that ticket applies here too.

Once Secret is kubesec encrypted, it supposed to be modified through kubesec edit / kubesec patch only (this will preserve DEK and IVs (each "data" entry has its own)). You could also use kubesec merge to merge (preserving keys) encrypted & unencrypted secrets but I'd advise to stick with edit/patch.

I'm idly pondering the idea of adding support for other ciphers but it's not available yet.