blackbox icon indicating copy to clipboard operation
blackbox copied to clipboard

Published 20 hours ago verified publisher icon StackExchange

Add functionality along the lines of "blackbox_encrypt_all_files"

Open N4M3Z opened this issue 9 years ago • 7 comments

Please consider adding functionality along the lines of "blackbox_encrypt_all_files". We currently have:

  • "blackbox_update_all_files" which decrypts and re-encrypts all files while overwriting any local changes previously decrypted files.
  • "blackbox_shreds_all_files" which securely deletes decrypted files.

However, there seems to be no function that would allow to encrypt all "blackboxed" files in the repository en masse. I understand that this is only a convenience functionality, as one can simply call blackbox_edit_end for each file before commiting. It would however great simply the workflow.

N4M3Z avatar Mar 03 '15 15:03 N4M3Z

To do this right, we really need a script that runs "blackbox_edit_end" on anything that was decrypted AND has been changed. We don't want to encrypt something that wasn't changed (that just makes the git repo bigger).

tlimoncelli avatar Mar 04 '15 21:03 tlimoncelli

Yes, you are of course right. Can we somehow track changes on decrypted files?

N4M3Z avatar Mar 05 '15 19:03 N4M3Z

There are a few ways to implement this

  • When the file is decrypted, generate a hash of the file and use that for comparison.
  • Watch the timestamp of the file to see if it changed.
  • Decrypt to a temporary file and see if anything has changed.
  • There are probably other ways too. git-crypt does a better job of this and someone could investigate how they do it.

However, the point of encrypting a file is often to incorporate new keys. It is a lot more difficult to detect if that is the situation. Therefore, I wouldn't add this logic to blackbox_edit_end, but just to a (new) script such as blackbox_encrypt_all_files.

All of these would be acceptable to me.

tlimoncelli avatar Mar 06 '15 14:03 tlimoncelli

Decrypt to a temporary file and see if anything has changed.

This works for me. I'd love to run blackbox_post_deploy, edit any secret I want, and then re-encrypt everything. blackbox_edit_* is extremely tedious and error prone when you have lots of secrets.

Even without this, I'd love it if blackbox_post_deploy at least gave a warning when decrypting if a copy of the decrypted file already exists on disk. As it stands, if you ran blackbox_edit_start, made changes, and then blackbox_post_deploy, you blow away you changes.

matthughes avatar Feb 03 '17 15:02 matthughes

One possible workaround for this is:

blackbox_list_files | xargs -n 1 blackbox_edit_end

Not ideal as it will reencrypt files that haven't changed but if you're touching most of the files, maybe it's worth it.

You could limit that though if the affected files were named appropriately:

blackbox_list_files | grep "production" | xargs -n 1 blackbox_edit_end or blackbox_list_files | grep "staging" | xargs -n 1 blackbox_edit_end etc.

matthughes avatar Feb 03 '17 15:02 matthughes