cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon share-secrets-safely

Add practical use-case example

Open C-Duv opened this issue 7 years ago • 5 comments

I like the GPG key based ACL of this tool and can see how it prevents leaks.

But I fail to imagine the real-world usage in a team of developers and I cannot find one in the documentation.

Is is something like:

  1. Alice, Bob and Charlie are working on a software source code versioned by git repository (and shared amongst them via GitHub, GitLab or any other central git repository).
  2. Alice want to store MySQL password into software's git repository but doesn't want neither Bob nor Charlie to have access to this secret.
    1. Alice creates a secrets directory into software's source code directory on it's computer, cd into it and run sy vault init to initialize the sheesy vault "secrets".
    2. Alice runs git add . ; git commit -m "Created a secrets sheesy vault" to commit the vault creation.
    3. Alice adds the MySQL password to the vault with: echo s3cre7 | sy vault add :mysql-password.
    4. Alice runs git add . ; git commit -m "Added MySQL password to the secrets vault"; git push origin for the changes the sy vault add command did on the sheesy vault ("secrets") are saved to the git repository.
  3. After some time, Alice trusts Bob to read secrets, so Alice asks Bob to run (on it's computer): cd secrets ; sy vault recipient init to add it's GPG key to possible recipients and git add . ; git commit -m "Adding Bob's key to the secrets vault" ; git push origin to persist the changes to the git repository.
  4. Alice can now run cd secrets ; sy vault recipient add 7DF95D5E and git add . ; git commit -m "Granting Bob's key access to secrets sheesy vault" ; git push origin and tells Bob that she granted him access to the "secrets" vault.
  5. Bob can now cd secrets and finally read the MySQL with sy vault show mysql-password.
  6. Charlie see the commits, see the list of secrets (using sy vault) but can never read them.

Notes:

  • I am intentionally omitting the parts where Alice, Bob and Charlie runs their git fetch and git merge commands.
  • On point 2., if Alice wants to store the password into software's git repository, could it be because software's deployment script will need it (in which case a other recipient should be added)?

C-Duv avatar Feb 25 '18 17:02 C-Duv

Wow, this example is downright fantastic! So great that I will indeed add this very example, including git interaction, to the documentation. The usage you describe is exactly what is anticipated for sheesy, and it's correct that tooling (e.g. deployment scripts) will need access to the vault as well. For that there should be a practical example as well.

Byron avatar Feb 25 '18 17:02 Byron

Glad to hear I got it right :) Feel free to add the example (or do you want a PR?).

C-Duv avatar Feb 26 '18 11:02 C-Duv

Oh, I am glad about all help I can get :)!

If you want to get your hands dirty with the documentation system and if you have docker installed, it should be as easy as ‘make watch-docs’ to get you going. You will probably have to equip the ‘docs’ image with git, see etc/docker/*.docs.

From there I recommend taking a look at that special termbook syntax I am using to actually execute the commands I provide as an example. There are some code snippets in ‘getting-started.md’ that are run as preamble, which is needed to configure the sandbox for each command that is run - something similar you would need as well. Please note that these snippets are shared across the entire book and can thus be reused.

If you have further questions, I am happy to help. On Mon 26. Feb 2018 at 12:41, C-Duv [email protected] wrote:

Glad to hear I got it right :) Feel free to add the example (or do you want a PR?).

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/Byron/share-secrets-safely/issues/3#issuecomment-368474124, or mute the thread https://github.com/notifications/unsubscribe-auth/AAD4hsvYENiFwon_7VAEsdiLVddS0xF9ks5tYph0gaJpZM4SSYtv .

Byron avatar Feb 26 '18 11:02 Byron

Well, on second thought, I think I'll leave you this part, I am not really sure I want to get into the documentation system (I initially thought it would be a simple patch to apply to an .md file). But if you want deployment script example of the same spirit, I'll try to write some.

C-Duv avatar Mar 01 '18 23:03 C-Duv

No problem , I think you can contribute what you can and want , and I will integrate it into the big whole as needed. On Fri 2. Mar 2018 at 00:49, C-Duv [email protected] wrote:

Well, on second thought, I think I'll leave you this part, I am not really sure I want to get into the documentation system (I initially thought it would be a simple patch to apply to an .md file). But if you want deployment script example of the same spirit, I'll try to write some.

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/Byron/share-secrets-safely/issues/3#issuecomment-369771723, or mute the thread https://github.com/notifications/unsubscribe-auth/AAD4hoHjG3lmM-juJ6NFtyxzdT6P7kvIks5taIkJgaJpZM4SSYtv .

Byron avatar Mar 02 '18 06:03 Byron