Skip to content

Security, Extension support, and Import/Export
Compare
Choose a tag to compare
@ahnick ahnick released this 12 Jun 20:27
· 10 commits to master since this release
v4.0.0
93d4234

This release contains a lot of changes that have been accumulating on the master branch.

From a security standpoint the default implementation with OpenSSL has improved through the use of named pipes. Previously, there was a very small window of time where the secret is passed to the openssl command that a user on the same machine might be able to discover the secret. By using a named pipe this is no longer possible. Of course, this does not prevent the root user from accessing secrets/keys, so always exercise caution if you don't trust who has root access to the machine you are using.

encpass.sh also has support for adding extensions now. The first extension that exists is the encpass-keybase.sh extension. This extension replaces the default OpenSSL encryption backend and instead uses Keybase's Saltpack encryption as well as Keybase per-user and per-team keys and encrypted git repos. This makes it easy to share and manage secrets with any team on Keybase. See the extension documentation for details.

The third big feature added is import/export commands. This allows the keys/secrets to be exported to a gzipped tar archive, which allows you to easily move or replicate your secrets to different machines or share secrets with a colleague. The compressed archive can also be encrypted with a password to add additional security.

Below is the consolidated list of all updates:

  • Use named pipes to more securely pass secrets to OpenSSL
  • Added extension support to encpass.sh
  • Added a Keybase extension (encpass-keybase.sh)
  • Added Import/Export commands
  • Added rekey command that can generate a new key for a bucket and automatically re-encrypt any existing secrets
  • Added lite command that can create a truncated version of encpass.sh without the CLI
  • Added more detailed examples and a sample backup script
  • Added ls subcommand to dir command to parse ENCPASS_DIR_LIST environment variable for multiple directories
  • Updated README.md documentation and documentation for the Keybase extension
  • Various fixes
Assets 2
Loading