Skip to content

Roadmap

Jump to bottom
ahnick edited this page Jun 26, 2020 · 13 revisions
  • Allow locking/unlocking of keys with a password
  • Allow exporting/importing of keys/secrets to/from a file using tar
  • Allow exporting process to lock keys with a different password or set of public keys (enables sharing keys with team without unlocking your own keys)
  • Allow using encrypted keys (never storing the key in plaintext on disk) using ssh-agent, which then in turn can be used by encpass.sh to decrypt a key in memory. Requires the encpass.sh shell script to have programmatic interaction with ssh-agent.
  • COMPLETED Implement a backend extension system.
    • This will override the default openssl/local filesystem implementation with a new implementation specified by a new backend extension script named encpass-(extension).sh
    • Official backends will be stored in the main repo under the /extensions directory
    • One .encpass directory will be tied to exactly one extension in order to prevent confusion about which system a particular encpass setup is talking to. If you want to use multiple encpass extensions on a local machine then the user will simply change the ENCPASS_HOME_DIR environment variable to point to a new location that contains the new extension.
    • The indication of which extension a .encpass directory is tied to will be held in a hidden file within the .encpass directory called ".extension".
    • The .extension file will contain the name of the extension system
    • encpass.sh will expect an extension script file to exist on the local path named "encpass-(extension).sh" that it can invoke when passed commands
    • backend extensions can override existing encpass.sh commands and functions or add new ones
    • To set the extension of .encpass directory call the following command:
      • encpass.sh extension enable (extension)
    • If an extension already exists then prompt whether or not to overwrite it. The default behavior should be NOT to overwrite it as it will make accessing secrets that have been created under this .encpass directory already inaccessible. Possibly force user to remove all secrets in order to change?
    • Proposed backends:
      • keybase
      • pass - See issue #10.
      • keepassxc
      • gpg/local filesystem
  • Import/Export
    • Support piping into encpass.sh via stdin for import
    • Need to detect difference between piping in a tab delimited command file vs storing password
    • Export secrets/keys using tar and gzip results
    • Allow setting a password on the exported file
    • If keys are exported, require password to be set
  • Batch command execution via stdin pipe
  • Add commandline support for management. The following syntax (example commands are planned):
    • encpass.sh lock (Locks all keys with a password)
    • encpass.sh -k=/path/to/public.key lock (locks all keys with a public key)
    • encpass.sh unlock (Prompts for a password and then unlocks all keys)
    • encpass.sh -k=/path/to/private.key unlock (Unlock all keys with a private key)
    • encpass.sh export test.sh test.tar
    • encpass.sh export *.sh all_scripts.tar (support wildcards in export)
    • encpass.sh export * everything.tar (export all labels)
    • encpass.sh import test.tar (Import the archive and overlay onto .encpass directory, do not overwrite)
    • encpass.sh import -f test.tar (Import archive into .encpass and overwrite if it exists)
    • encpass.sh show test.sh password (Show the secret named password for the label test.sh)
    • encpass.sh add test.sh password (Add a secret named password to the label test.sh)
    • encpass.sh add *.sh password (Add a secret named password to all labels with the .sh extension)
    • encpass.sh update test.sh password (Update a secret named password the label test.sh)
    • encpass.sh update *.sh password (Update a secret named pasword to all labels with the .sh extension)
    • encpass.sh remove test.sh (Remove the label test.sh, it's key, and all secrets that belong to it, prompt for confirmation)
    • encpass.sh remove -f test.sh (Remove the label test.sh, it's key, and all secrets that belong to it, force removal without prompt)
    • encpass.sh remove test.sh password (Remove the secret named password from the test.sh label)
    • encpass.sh remove -f test.sh password (Remove the secret named password from the test.sh label, force removal without prompt)
    • encpass.sh remove -f * (Remove all keys and secrets from encpass, force removal without prompt)
    • encpass.sh ls (List all labels stored in encpass)
    • encpass.sh ls *.sh (List all secrets for labels ending in .sh)
    • encpass.sh ls test.sh (List all secrets for the label test.sh)
Clone this wiki locally