fwknop icon indicating copy to clipboard operation
fwknop copied to clipboard
verified publisher icon mrash

Support for reading symmetric encryption keys dynamically from command output

Open pjriot opened this issue 9 years ago • 2 comments

Hi folks,

Tools like isync allow you to specify a command from which it will read your credentials. (see PassCmd) This allows for encrypting a file containing your mail server password with gpg and having gpg-agent manage access to the key. It would be great to see a similar feature in fwknop.

pjriot avatar Nov 15 '16 01:11 pjriot

Thanks for the suggestion. This is definitely a good idea. One option to accomplish this would be to extend the fwknop client to accept the entire ~/.fwknoprc file via stdin (or other file descriptor), and encrypt this file with gpg. Then, you could use 'gpg -d' to decrypt it and pass the output to fwknop. Until this is fully implemented, fwknop does support accepting the Rijndael key by itself via stdin. So, you could do something like:

$ gpg -d encrypted_spa_key.gpg | fwknop --stdin -D somehost -R -A tcp/22

mrash avatar Nov 15 '16 02:11 mrash

Hey Michael,

Ah, I missed the --stdin flag - this is very helpful, thanks.

Accepting configuration via an fd (and thus allowing for a fully encrypted config) would be great!

pjriot avatar Nov 15 '16 02:11 pjriot