opensecret 0.0.9925 → 0.0.9949
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +656 -40
- data/lib/configs/README.md +58 -0
- data/lib/extension/file.rb +67 -0
- data/lib/extension/string.rb +10 -0
- data/lib/factbase/facts.opensecret.io.ini +1 -0
- data/lib/interprete.rb +334 -61
- data/lib/keytools/PRODUCE_RAND_SEQ_USING_DEV_URANDOM.txt +0 -0
- data/lib/keytools/kdf.api.rb +9 -15
- data/lib/keytools/kdf.bcrypt.rb +69 -19
- data/lib/keytools/kdf.pbkdf2.rb +112 -23
- data/lib/keytools/key.api.rb +146 -36
- data/lib/keytools/key.db.rb +94 -29
- data/lib/keytools/key.id.rb +1 -1
- data/lib/keytools/key.ident.rb +243 -0
- data/lib/keytools/key.local.rb +62 -68
- data/lib/keytools/key.pass.rb +2 -2
- data/lib/keytools/key.rb +2 -28
- data/lib/modules/{cryptology.md → README.md} +0 -0
- data/lib/session/fact.finder.rb +65 -428
- data/lib/session/time.stamp.rb +1 -28
- data/lib/usecase/cmd.rb +127 -54
- data/lib/usecase/config/README.md +57 -0
- data/lib/usecase/docker/README.md +146 -0
- data/lib/usecase/docker/docker.rb +49 -0
- data/lib/usecase/edit/README.md +43 -0
- data/lib/usecase/edit/delete.rb +46 -0
- data/lib/usecase/export.rb +40 -0
- data/lib/usecase/files/README.md +37 -0
- data/lib/usecase/files/eject.rb +56 -0
- data/lib/usecase/files/file_me.rb +78 -0
- data/lib/usecase/files/read.rb +169 -0
- data/lib/usecase/files/write.rb +89 -0
- data/lib/usecase/goto.rb +57 -0
- data/lib/usecase/id.rb +1 -1
- data/lib/usecase/import.rb +13 -30
- data/lib/usecase/init.rb +2 -17
- data/lib/usecase/jenkins/README.md +146 -0
- data/lib/usecase/jenkins/crazy_ruby_post_attempt.OLD +234 -0
- data/lib/usecase/jenkins/jenkins.rb +208 -0
- data/lib/usecase/login.rb +6 -5
- data/lib/usecase/logout.rb +1 -3
- data/lib/usecase/open.rb +11 -66
- data/lib/usecase/print.rb +40 -0
- data/lib/usecase/put.rb +34 -156
- data/lib/usecase/set.rb +2 -4
- data/lib/usecase/show.rb +138 -0
- data/lib/usecase/terraform/README.md +91 -0
- data/lib/usecase/terraform/terraform.rb +121 -0
- data/lib/usecase/token.rb +4 -80
- data/lib/usecase/update/README.md +55 -0
- data/lib/usecase/update/rename.rb +180 -0
- data/lib/usecase/use.rb +1 -3
- data/lib/usecase/verse.rb +20 -0
- data/lib/usecase/view.rb +71 -0
- data/lib/usecase/vpn/README.md +150 -0
- data/lib/usecase/vpn/vpn.ini +31 -0
- data/lib/usecase/vpn/vpn.rb +54 -0
- data/lib/version.rb +1 -1
- data/opensecret.gemspec +3 -4
- metadata +34 -35
- data/.travis.yml +0 -5
- data/CODE_OF_CONDUCT.md +0 -74
- data/LICENSE.txt +0 -21
- data/bin/ops +0 -20
- data/lib/keytools/binary.map.rb +0 -294
- data/lib/keytools/doc.conversion.to.ones.and.zeroes.ruby +0 -179
- data/lib/keytools/doc.rsa.radix.binary-mapping.ruby +0 -190
- data/lib/keytools/doc.star.schema.strategy.txt +0 -77
- data/lib/keytools/doc.using.pbkdf2.kdf.ruby +0 -95
- data/lib/keytools/doc.using.pbkdf2.pkcs.ruby +0 -266
- data/lib/keytools/key.mach.rb +0 -248
- data/lib/keytools/keydebug.txt +0 -295
- data/lib/modules/cryptology/open.bcrypt.rb +0 -170
- data/lib/usecase/read.rb +0 -89
- data/lib/usecase/safe.rb +0 -92
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8a14fe4f0256b6d9755d804a9b88c5ec0aae3f2afe9661c363631ae3a367b4bc
|
4
|
+
data.tar.gz: b3b97af2390fe20e743a106170435c8cc8b37fae76ab1403bcb5b0722c5cb5cd
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 578f9c4f2e3469e9814f2ee9528874a9ec6fdd879fcd838fd21eb57b3d806ae6bd00cbf2e266229b37860ea21c3105f8f65ed60748d4ca6c737c1652e36ca59d
|
7
|
+
data.tar.gz: e38f255ce6e2b281a0e7e70cdadd2762ad433e081300a509bf4f793f7415775654d41bbb1ec27c9464251985cf0bf1a073862ae056a6c629fb23b212d99e1226
|
data/README.md
CHANGED
@@ -1,46 +1,488 @@
|
|
1
1
|
opensecret [![Build Status](https://secure.travis-ci.org/TwP/inifile.png)](http://travis-ci.org/TwP/inifile)
|
2
2
|
==========
|
3
3
|
|
4
|
-
|
4
|
+
safe database introduction
|
5
5
|
-----------
|
6
|
+
**A safe database contains books that you login to.** A book contains **`chapters`** and chapters contain **`verses`**. Each verse has a number of lines which are just key/value pairs.
|
7
|
+
|
8
|
+
## Joe Bloggs Social Media Accounts
|
9
|
+
|
10
|
+
Joe Bloggs wants to safely store his social media account credentials. His creates a book called **`joe.bloggs`**, a chapter called **`social`** and verses called **facebook**, **twitter**, **instagram** and **snapchat**. These verses will hold key value pairs like username, @password and signin.url (aka lines).
|
11
|
+
|
12
|
+
```
|
13
|
+
safe init joe.bloggs /path/to/dir # create a book called joe.bloggs
|
14
|
+
safe login joe.bloggs # login to the book
|
15
|
+
```
|
16
|
+
|
17
|
+
## create facebook credentials
|
18
|
+
|
19
|
+
The joe.bloggs book has been created. Now create the **social chapter** and **facebook verse**.
|
20
|
+
|
21
|
+
```
|
22
|
+
safe open social facebook # open chapter social and verse facebook
|
23
|
+
safe put username joeybloggs9 # create a username (key/value) line
|
24
|
+
safe put @password s3cr3t # create a password (key/value) line
|
25
|
+
safe put signin.url https://xxx # create a signin url (key/value) line
|
26
|
+
```
|
27
|
+
|
28
|
+
## create twitter credentials
|
29
|
+
|
30
|
+
Now that facebook is done - Joe **creates another verse called twitter** under the social chapter.
|
31
|
+
|
32
|
+
```
|
33
|
+
safe open social twitter # open chapter social and verse twitter
|
34
|
+
safe put username joebloggs4 # create a username (key/value) line
|
35
|
+
safe put @password secret12 # create a password (key/value) line
|
36
|
+
safe put signin.url https://yyy # create a signin url (key/value) line
|
37
|
+
```
|
38
|
+
|
39
|
+
**`safe open`** creates a new chapter verse or goes to one if it exists. Commands like **`safe put`**, **`safe show`** and **`safe delete`** all work on the currently opened chapter and verse.
|
40
|
+
|
41
|
+
|
42
|
+
## keep it safe
|
43
|
+
|
44
|
+
You use **`safe`** to put and retrieve credentials into an uncrackable encrypted "safe" on your filesystem or USB key.
|
45
|
+
|
46
|
+
<pre>
|
47
|
+
You interact with opensecret on the command line, or through DevOps scripts and pipelines. opensecret will soon **integrate** with storage solutions like S3, Git, SSH, Docker, Redis, the AWS key manager (KMS), Docker, Google Drive, Kubernetes Secrets, Git Secrets, OAuth2, KeePass, LastPass and the Ansible / HashiCorp vaults.
|
48
|
+
</pre>
|
6
49
|
|
7
|
-
opensecret
|
50
|
+
opensecret is **simple**, intuitive and highly secure. <b><em>It never accesses the cloud</em></b>. The crypt files it writes are precious to you but <b><em>worthless</em></b> to everyone else.
|
8
51
|
|
9
|
-
opensecret
|
52
|
+
opensecret | Install and Configure
|
53
|
+
-----------
|
10
54
|
|
11
55
|
## install opensecret
|
12
56
|
|
13
57
|
$ gem install opensecret
|
14
|
-
$ export
|
15
|
-
$
|
16
|
-
$
|
58
|
+
$ export SAFE_TTY_TOKEN=`safe token` # setup a shell session variable
|
59
|
+
$ safe init joe@abc /home/joe/credentials # initialize a secrets domain
|
60
|
+
$ safe login joe@abc # login to the new domain
|
17
61
|
|
18
62
|
You initialize then login to a **domain** like **joe@abc**. In the init command we specify where the encrypted material will be stored. Best use a USB key or phone to use your secrets on any drive or computer.
|
19
63
|
|
20
64
|
You only need to run init once on a computer for each domain - after that you simply login.
|
21
65
|
|
22
|
-
|
66
|
+
More information will be provided on installing and using safe via a gem install, Ubuntu's apt-get, yum, a docker container, a development install, a unit test install and a software development kit (SDK) install.
|
67
|
+
|
68
|
+
## Create Alias for Export Safe Terminal Token
|
69
|
+
|
70
|
+
It's tiresome to manually create the **SAFE_TTY_TOKEN environment variable** that is required by opensecret.
|
71
|
+
|
72
|
+
So create an **alias safetty (export token)** command like this noting the escaped <b>back-ticks</b> surrounding the <b>safe token</b> call.
|
73
|
+
|
74
|
+
$ echo "alias safetty='export SAFE_TTY_TOKEN=\`safe token\`'" >> ~/.bash_aliases
|
75
|
+
$ cat ~/.bash_aliases # Check the alias has been added to ~/.bash_aliases
|
76
|
+
$ source ~/.bash_aliases # Use source to avoid grabbing a new shell this time
|
77
|
+
|
78
|
+
Now before using opensecret simply call safetty.
|
23
79
|
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
80
|
+
$ safetty # safe terminal token
|
81
|
+
$ printenv | grep SAFE_TTY_TOKEN # check it was created
|
82
|
+
$ safe login joe@abc # login to a book
|
83
|
+
$ safe view # chapters and verses
|
84
|
+
|
85
|
+
There are other ways to initialize the shell token including
|
86
|
+
|
87
|
+
- via a Docker run ENV parameter
|
88
|
+
- inside a Vagrantfile (vagrant up)
|
89
|
+
|
90
|
+
Do not add it to the bash profile script because opensecret uses the parent process id and bash profile will in effect use opensecret's grandparent's process id.
|
91
|
+
|
92
|
+
|
93
|
+
## Remove Token | Environment Variable
|
94
|
+
|
95
|
+
When the shell closes the shell token will disappear which is good. You can clear it immediately with these commands.
|
96
|
+
|
97
|
+
$ unset SAFE_TTY_TOKEN # Delete the shell session token
|
98
|
+
$ env | grep SAFE_TTY_TOKEN # Check SAFE_TTY_TOKEN is deleted
|
99
|
+
$ env -i bash # Delete every env var created by shell
|
100
|
+
|
101
|
+
|
102
|
+
## Chapter and Verse | Its a Book
|
103
|
+
|
104
|
+
Visualize your safe **as a book** (like the Bible or the Oxford English Dictionary).
|
105
|
+
|
106
|
+
You **open the book at a chapter and verse** then read, write and update a **key/value dictionary**.
|
107
|
+
|
108
|
+
- **joe.credentials** is the **book** we login to.
|
109
|
+
- **email.accounts** is the **chapter** we open
|
110
|
+
- **joe@gmail.com** is the **verse** we open
|
111
|
+
|
112
|
+
Now we can **put** and **read** key/value entries at the chapter and verse we opened.
|
113
|
+
|
114
|
+
- <tt>**safe open email.accounts joe@gmail.com**</tt>
|
115
|
+
- <tt>**safe put username joe**</tt>
|
116
|
+
- <tt>**safe input password**</tt>
|
117
|
+
- <tt>**safe put question "Mothers Maiden Name"**</tt>
|
118
|
+
- <tt>**safe put answer "Rumpelstiltskin"**</tt>
|
119
|
+
- <tt>**safe tell**</tt>
|
30
120
|
|
31
121
|
**What happened?** Look in the configured folder and you'll see some breadcrumbs and your first envelope. What happened was
|
32
122
|
|
33
123
|
- the "emal.accounts" envelope is created for joe@gmail.com
|
34
124
|
- the username and a memorable question are put in
|
35
|
-
- **
|
36
|
-
- **
|
125
|
+
- **safe input password** securely collects the password
|
126
|
+
- **safe tell** outputs all the data at the opened path
|
37
127
|
|
38
128
|
Let's put data for the next email account into the same "email.acocunts" envelope.
|
39
129
|
|
40
|
-
- <tt>**
|
41
|
-
- <tt>**
|
42
|
-
- <tt>**
|
43
|
-
- <tt>**
|
130
|
+
- <tt>**safe open email.accounts joe@yahoo.com**</tt>
|
131
|
+
- <tt>**safe put username joey**</tt>
|
132
|
+
- <tt>**safe input secret**</tt>
|
133
|
+
- <tt>**safe tell**</tt>
|
134
|
+
|
135
|
+
|
136
|
+
## emacs passwords | safe login
|
137
|
+
|
138
|
+
Emacs tries to detect a password prompt by examining the prompt text. These will match.
|
139
|
+
|
140
|
+
- Password:
|
141
|
+
- Enter new password:
|
142
|
+
|
143
|
+
Use **`Alt-x send-invisible`** or **`M-x send-invisible`** if emacs gets it wrong.
|
144
|
+
|
145
|
+
In emas passwords entered in the special minibuffer
|
146
|
+
|
147
|
+
- are not displayed
|
148
|
+
- nor are they entered into any history list
|
149
|
+
|
150
|
+
There are ways to help Emacs recognize password prompts using regular expressions and lisp lists but this complexity is rarely warranted.
|
151
|
+
|
152
|
+
## Keeping Files Secret
|
153
|
+
|
154
|
+
**Whole files can be secured in the safe - not just a sequence of characters.**
|
155
|
+
|
156
|
+
### A single file
|
157
|
+
|
158
|
+
**This is legacy functionality and will soon be refactored using the multi-file embedded map approach.**
|
159
|
+
|
160
|
+
You can pull in (and spit out) a file into the dictionary at the opened chapter and verse using **`safe read`** and **`safe write`**
|
161
|
+
|
162
|
+
$ safetty # alias command puts token in an environment variable
|
163
|
+
$ safe login <<book>> # login to a book
|
164
|
+
$ safe open <<chapter>> <<verse>> # go to the dictionary at the opened chapter/verse
|
165
|
+
$ safe show # look at the key/value pairs in the dictionary
|
166
|
+
$ safe read ~/creds/my-key.pem # an encrypted file is added to the safe directory
|
167
|
+
$ safe write # the file is decrypted and faithfully returned
|
168
|
+
|
169
|
+
With read/write only one file can be added to a dictionary. If you **safe read** the second time the safe file is effectively overwritten and unretrievable. Note that **safe write** creates a backup if the file exists at the filepath before overwriting it.
|
170
|
+
|
171
|
+
But can we put more than one file into a dictionary?
|
172
|
+
|
173
|
+
### Putting Many Files into a Dictionary
|
174
|
+
|
175
|
+
**These commands may be refactored into read and write.**
|
176
|
+
Suppose you have 4 openvpn (ovpn) files and you want them encrypted in just one dictionary. You can do it with **safe inter** and **safe exhume**
|
177
|
+
|
178
|
+
$ safe inter production.vpn ~/tmp-vpn-files/prod.ovpn
|
179
|
+
$ safe inter development.vpn ~/tmp-vpn-files/dev.ovpn
|
180
|
+
$ safe inter canary.vpn ~/tmp-vpn-files/canary.ovpn
|
181
|
+
$ safe inter staging.vpn ~/tmp-vpn-files/stage.ovpn
|
182
|
+
$ safe show
|
183
|
+
|
184
|
+
Against the @production.vpn key exists a sub-dictionary holding key-value pairs like in.url, out.url, permissions, is_zip, use_sudo, date_created, date_modified and most importantly **content**.
|
185
|
+
|
186
|
+
The actual file content is converted into a url safe base64 format (resulting in a sequence of characters) and then put into the dictionary with keys named production.vpn, canary.vpn and so on.
|
187
|
+
|
188
|
+
$ safe exhume
|
189
|
+
|
190
|
+
This powerful command **excavates all files** thus reconstituting them into their configured plaintext destinations.
|
191
|
+
|
192
|
+
$ safe exhume production.vpn # dig out just the one file
|
193
|
+
$ safe exhume 'production.vpn,canary.vpn' # dig out every file in the list
|
194
|
+
$ safe exhume production.vpn ~/new/live.ovpn # dig out file to specified path
|
195
|
+
|
196
|
+
|
197
|
+
In keeping with the safe tradition of zero parameter commands whenever and wherever possible the **safe inter** command will now reread all the files again because safe knows where they should be.
|
198
|
+
|
199
|
+
$ safe inter
|
200
|
+
|
201
|
+
### Passing Files in through Standard In
|
202
|
+
|
203
|
+
**@Yet to be implemented. Above inter/exhume should be read/write and the below should be the real inter/exhume**
|
204
|
+
File content can be presented at standard in (stdin) and ejected to (stdout) in keeping with unix command tradition.
|
205
|
+
|
206
|
+
$ cat ~/.ssh/repo-private-key.pem | safe inter repo.key
|
207
|
+
$ safe exhume repo.key > /media/usb/repository-key.pem
|
208
|
+
|
209
|
+
Internally and therefore private - inter converts the multiline text into urlsafe base 64 on the way (std)in and exhume does the opposite on the way (std)out.
|
210
|
+
|
211
|
+
## Scripts can Read Safe's Credentials
|
212
|
+
|
213
|
+
Within a DevOps script, you can read from a safe and write to it without the credentials touching the ground (disk) and/or sides.
|
214
|
+
|
215
|
+
DevOps engineers often comment that this is the safe's most attractive feature. All you have to do is to tell safe that it is being called from within a script. This an example of connecting to a database maybe to create some space.
|
216
|
+
|
217
|
+
$ safetty
|
218
|
+
$ safe login joe@bloggs.com
|
219
|
+
$ safe open mysql production
|
220
|
+
|
221
|
+
$ python db-create-space.py
|
222
|
+
|
223
|
+
You've logged into a safe book and opened a chapter and verse. Then you call a script - **look no parameters!**
|
224
|
+
|
225
|
+
(Improve by using actual python commands).
|
226
|
+
|
227
|
+
Now within the script could be lines like this.
|
228
|
+
|
229
|
+
db_url = %x[safe print db.url --script]
|
230
|
+
db_usr = %x[safe print db.usr --script]
|
231
|
+
db_pass = %x[safe print db.pass --script]
|
232
|
+
|
233
|
+
db_conn = Connection.new( db_url, db_usr, db_pass )
|
234
|
+
|
235
|
+
Notice the credentials have not touched the disk. The decrypted form was only used in memory to connect.
|
236
|
+
|
237
|
+
The switch **--script** tells safe that it is being called from within a script. Safe won't give out credentials if the script in turn calls another script and that calls safe - it only obliges when you have run the command yourself.
|
238
|
+
|
239
|
+
This gives you peace of mind that sub-processes two or more levels deep will not be able to access your credentials.
|
240
|
+
|
241
|
+
You can also limit the credentials in a book. Scripts can only access credentials in books that you have logged into. Credentials in other books within your safe are out of scope.
|
242
|
+
|
243
|
+
|
244
|
+
## Scripts can Write Credentials into your Safe
|
245
|
+
|
246
|
+
Many DevOps scripts source credentials that then need to be stored. Scripts can use Safe's configurable random generators to produce passwords, public/private keypairs and AES keys. Or the credentials are sourced externally and the scripts then place them into the safe.
|
247
|
+
|
248
|
+
|
249
|
+
## opensecret | The Commands
|
250
|
+
|
251
|
+
$ safe login <<book>> # login to one of the books in the safe
|
252
|
+
$ safe use <<book>> # switch to this or that book (if logged in)
|
253
|
+
$ safe open <<chapter>> <<verse>> # open email accounts chapter at this verse (specific account)
|
254
|
+
$ safe view # contents page of chapters and verses in this book
|
255
|
+
$ safe goto <<N>> # shortcut for open command (pick number from the viewed list
|
256
|
+
|
257
|
+
$ safe put <<key>> <<value>> # put in a non-sensitive key-value pair
|
258
|
+
$ safe put @<<key>> <<value>> # put in a non-sensitive key-value pair
|
259
|
+
|
260
|
+
$ safe show # show the key/value dictionary at chapter and verse
|
261
|
+
|
262
|
+
|
263
|
+
## Chapter and Verse | Types
|
264
|
+
|
265
|
+
What types can opensecret store. Remember the
|
266
|
+
- book
|
267
|
+
- chapter
|
268
|
+
- verse
|
269
|
+
|
270
|
+
You login to a book and then "open" it up at a chapter and verse.
|
271
|
+
|
272
|
+
At that point you get a dictionary with string keys. The value types can be
|
273
|
+
|
274
|
+
- strings
|
275
|
+
- integers
|
276
|
+
- booleans
|
277
|
+
- lists
|
278
|
+
- dictionaries
|
279
|
+
- another book, chapter and verse
|
280
|
+
- files (plain, binary, zip)
|
281
|
+
|
282
|
+
## Concepts Yet to be Documented
|
283
|
+
|
284
|
+
We need to fix the login bug which we now workaround by init(ing) every time.
|
285
|
+
On top of that we must document the behaviour for
|
286
|
+
|
287
|
+
- list management (create read add remove eject) - remove is given a value while eject is given an index
|
288
|
+
- crud operations on books, chapters, verses and key/value entries
|
289
|
+
- password changing
|
290
|
+
- hardening configuration using Hexadecimal characters
|
291
|
+
|
292
|
+
## How to configure opensecret's behaviour
|
293
|
+
|
294
|
+
We can configure opensecret's behaviour
|
295
|
+
|
296
|
+
- globally for all books on a given workstation
|
297
|
+
- locally for activities pertaining to the current book
|
298
|
+
|
299
|
+
|
300
|
+
## Exporting Credentials in Different Formats
|
301
|
+
|
302
|
+
Once credentials are in opensecret they can be exported in different formats.
|
303
|
+
Also you can start a shell, login, open a chapter and verse and then give opensecret the command to run.
|
304
|
+
|
305
|
+
It can then export out selected (key/value) dictionaries at the opened chapter and verse as
|
306
|
+
|
307
|
+
- **environment variables**
|
308
|
+
- **Kubernetes Secrets formatted files**
|
309
|
+
- **AWS IAM user environment variables or files**
|
310
|
+
- **RubyGem credentials (consumable by rake)**
|
311
|
+
- **rclone credentials for accessing GoogleDrive, Rackspace**
|
312
|
+
- **openvpn (ovpn) files (with keys/certs) for VPN tunnels**
|
313
|
+
- **ubuntu network manager configurations fir VPN and wireless**
|
314
|
+
- **certificates RubyGem credentials (consumable by rake)**
|
315
|
+
- **git credentials for pushing (or cloning) a git repo**
|
316
|
+
|
317
|
+
In effect, opensecret can start VPNs, wireless connections, launch Firefox with certificates installed, run Ansible and Terraform suppling vital credentials - all this **without the credentials ever touching the ground (filesystem)**.
|
318
|
+
|
319
|
+
## Generating Credentials
|
320
|
+
|
321
|
+
The following can be generated from a single command
|
322
|
+
|
323
|
+
- password strings configurable by length, set of printable characters and encoding
|
324
|
+
- private / public key pairs with bit length configurable (up to 8192 bits) - also format configurable
|
325
|
+
- AWS SSH keypairs
|
326
|
+
- certifcates including signed (root) certificates
|
327
|
+
|
328
|
+
## Allowing Credentials Access
|
329
|
+
|
330
|
+
Once the above are locked inside your safe - you
|
331
|
+
|
332
|
+
## Did you know?
|
333
|
+
|
334
|
+
Did you know that
|
335
|
+
- plaintext credentials are written by git config credential.helper store
|
336
|
+
- plaintext credentials are written (out of home directory) by ubuntu network manager
|
337
|
+
- plaintext credentials live under an AWS config directory.
|
338
|
+
|
339
|
+
|
340
|
+
## Configure Length of Generated Password
|
341
|
+
|
342
|
+
|
343
|
+
Visit the below - has perfect parameters for configuring the output of a generating credential.
|
344
|
+
|
345
|
+
https://www.terraform.io/docs/providers/random/r/string.html
|
346
|
+
|
347
|
+
Maybe find the Go software or Ruby alternatives.
|
348
|
+
|
349
|
+
The following arguments are supported:
|
350
|
+
|
351
|
+
- length - (Required) The length of the string desired
|
352
|
+
- upper - (Optional) (default true) Include uppercase alphabet characters in random string.
|
353
|
+
- min_upper - (Optional) (default 0) Minimum number of uppercase alphabet characters in random string.
|
354
|
+
- lower - (Optional) (default true) Include lowercase alphabet characters in random string.
|
355
|
+
- min_lower - (Optional) (default 0) Minimum number of lowercase alphabet characters in random string.
|
356
|
+
- number - (Optional) (default true) Include numeric characters in random string.
|
357
|
+
- min_numeric - (Optional) (default 0) Minimum number of numeric characters in random string.
|
358
|
+
- special - (Optional) (default true) Include special characters in random string. These are '!@#$%&*()-_=+[]{}<>:?'
|
359
|
+
- min_special - (Optional) (default 0) Minimum number of special characters in random string.
|
360
|
+
- override_special - (Optional) Supply your own list of special characters to use for string generation. This overrides characters list in the special argument. The special argument must still be set to true for any overwritten characters to be used in generation.
|
361
|
+
- keepers - (Optional) Arbitrary map of values that, when changed, will trigger a new id to be generated. See the main provider documentation for more information.
|
362
|
+
|
363
|
+
|
364
|
+
$ safe password length <<weight>>
|
365
|
+
|
366
|
+
The length of randomly generated passwords (secret strings) can be weighted from 1 to 32. The generated
|
367
|
+
password length can still vary but is guaranteed to be one of 7 possible lengths as shown below.
|
368
|
+
|
369
|
+
| ---------------------- | -------------------- |
|
370
|
+
| | Expected Char Count |
|
371
|
+
| ---------------------- | -------------------- |
|
372
|
+
| Password Length Weight | Min | Median | Max |
|
373
|
+
| ---------------------- | -------------------- |
|
374
|
+
| 1 | 8 | 11 | 14 |
|
375
|
+
| 2 | 9 | 12 | 15 |
|
376
|
+
| 3 | 10 | 13 | 16 |
|
377
|
+
| 4 | 11 | 14 | 17 |
|
378
|
+
| 5 | 12 | 15 | 18 |
|
379
|
+
| 6 | 13 | 16 | 19 |
|
380
|
+
| 7 | 14 | 17 | 20 |
|
381
|
+
| 8 | 15 | 18 | 21 |
|
382
|
+
| 9 | 16 | 19 | 22 |
|
383
|
+
| 10 | 17 | 20 | 23 |
|
384
|
+
| 11 | 18 | 21 | 24 |
|
385
|
+
| 12 (default) | 19 | 22 | 25 |
|
386
|
+
| 13 | 20 | 23 | 26 |
|
387
|
+
| 14 | 21 | 24 | 27 |
|
388
|
+
| 15 | 22 | 25 | 28 |
|
389
|
+
| 16 | 23 | 26 | 29 |
|
390
|
+
| 17 | 24 | 27 | 30 |
|
391
|
+
| 18 | 25 | 28 | 31 |
|
392
|
+
| 19 | 26 | 29 | 32 |
|
393
|
+
| 20 | 27 | 30 | 33 |
|
394
|
+
| 21 | 28 | 31 | 34 |
|
395
|
+
| 22 | 29 | 32 | 35 |
|
396
|
+
| 23 | 30 | 33 | 36 |
|
397
|
+
| 24 | 31 | 34 | 37 |
|
398
|
+
| 25 | 32 | 35 | 38 |
|
399
|
+
| 26 | 33 | 36 | 39 |
|
400
|
+
| 27 | 34 | 37 | 40 |
|
401
|
+
| 28 | 35 | 38 | 41 |
|
402
|
+
| 29 | 36 | 39 | 42 |
|
403
|
+
| 30 | 37 | 40 | 43 |
|
404
|
+
| 31 | 38 | 41 | 44 |
|
405
|
+
| 32 | 39 | 42 | 45 |
|
406
|
+
| ---------------------- | -------------------- |
|
407
|
+
|
408
|
+
The lowest 1 setting will produce a 8, 9, 10, 11, 12, 13 or 14 character password.
|
409
|
+
|
410
|
+
The default password hovers in the low to mid twenties whilst the hardest 32 setting will generate a
|
411
|
+
length 42 password string (give or take 3 characters on either side).
|
412
|
+
|
413
|
+
No extra benefit is derived from generating passwords with lengths in excess of 42 characters.
|
414
|
+
|
415
|
+
Don't forget that the above has **nothing** to do with the password you choose to protect your opensecret safe.
|
416
|
+
This only applies to (securely) randomly generated character sequences used to create passwords for external
|
417
|
+
applications and systems.
|
418
|
+
|
419
|
+
### Configure Makeup of Password | Printable Characters
|
420
|
+
|
421
|
+
Some systems reject certain characters. Lloyds Bank for example will only accept alpha-numerics.
|
422
|
+
|
423
|
+
In these cases we need to configure the set of characters that sources the actual sequence of password characters.
|
424
|
+
|
425
|
+
Again you can configure 1 to 32 which guarantees that the generated password sequence will be locked down to
|
426
|
+
(possibly) include a character and all those that come before it.
|
427
|
+
|
428
|
+
There are 62 alpha-numerics which is the starting point and smallest source pool of usable choosable characters for a printable character sequence.
|
429
|
+
|
430
|
+
- ---------------------- | -------------------- - --------- -
|
431
|
+
| Password Makeup Weight | # | Char Name | Character |
|
432
|
+
| ---------------------- | -----| ------------- | --------- |
|
433
|
+
| 1 | 62 | alpha-nums | A-Za-z0-9 |
|
434
|
+
| 2 | 63 | underscore | _ |
|
435
|
+
| 3 | 64 | period | . |
|
436
|
+
| 4 | 65 | hyphen | - |
|
437
|
+
| 5 | 66 | at symbol | @ |
|
438
|
+
| 6 | 67 | squiggle | ~ |
|
439
|
+
| 7 | 68 | hyphen | - |
|
440
|
+
| 8 | 69 | plus sign | + |
|
441
|
+
| 9 | 70 | percent | % |
|
442
|
+
| 10 | 71 | equals | = |
|
443
|
+
| 11 | 72 | SPACE | |
|
444
|
+
| 12 | 73 | fwd slash | / |
|
445
|
+
| 13 | 74 | hat symbol | ^ |
|
446
|
+
| 14 | 75 | soft open | ( |
|
447
|
+
| 15 | 76 | soft close | ) |
|
448
|
+
| 16 | 77 | square open | [ |
|
449
|
+
| 17 | 78 | square close | ] |
|
450
|
+
| 18 | 79 | curly open | { |
|
451
|
+
| 19 | 80 | curly close | } |
|
452
|
+
| 20 | 81 | angle open | < |
|
453
|
+
| 21 | 82 | angle close | > |
|
454
|
+
| 22 | 83 | pipe symbol | | |
|
455
|
+
| 23 | 84 | hash symbol | # |
|
456
|
+
| 24 | 85 | question mark | ? |
|
457
|
+
| 25 | 86 | colon | : |
|
458
|
+
| 26 | 87 | semi-colon | ; |
|
459
|
+
| 27 | 88 | comma | , |
|
460
|
+
| 28 | 89 | asterix | * |
|
461
|
+
| 29 | 90 | ampersand | & |
|
462
|
+
| 30 | 91 | exclamation | ! |
|
463
|
+
| 31 | 92 | dollar sign | $ |
|
464
|
+
| 32 | 93 | back tick | ` |
|
465
|
+
| ---------------------- | -----| ------------- | --------- |
|
466
|
+
|
467
|
+
Use the full set of **93 printable characters** when protecting high value assets like databases.
|
468
|
+
|
469
|
+
### Binary Data
|
470
|
+
|
471
|
+
Some more advanced cryptography leaning services can handle binary streams (usually encoded) - opensecret can produce these at the drop of a hat.
|
472
|
+
|
473
|
+
### Kubernetes Secrets
|
474
|
+
|
475
|
+
opensecret can transfer a verse (or even the whole chapter) into a Kubernetes Secrets compatible format.
|
476
|
+
|
477
|
+
Kubernetes Secrets (through the kubectl interface) require that hexadecimal (base64) encoding be applied to secrets coming in through the letterbox.
|
478
|
+
|
479
|
+
opensecret can output dictionary (key/value pair) configurations in a format consumable by Kubernetes secrets.
|
480
|
+
|
481
|
+
### Encoding Character Sequences
|
482
|
+
|
483
|
+
|
484
|
+
|
485
|
+
|
44
486
|
|
45
487
|
### opensecret | All Done!
|
46
488
|
|
@@ -60,9 +502,9 @@ opensecret | moving computer
|
|
60
502
|
We travel between laptops, desktops, virtual machines and even docker containers. Always run init the first time you use a domain on a different computer.
|
61
503
|
|
62
504
|
$ gem install opensecret
|
63
|
-
$ export
|
64
|
-
$
|
65
|
-
$
|
505
|
+
$ export SAFE_TTY_TOKEN=`safe token` # setup a shell session variable
|
506
|
+
$ safe init joe@abc /home/joe/credentials # initialize a secrets domain
|
507
|
+
$ safe login joe@abc # login to the new domain
|
66
508
|
|
67
509
|
Run all four commands the first time. Then simply run the second and fourth commands whenever you open a new shell to interact with opensecret.
|
68
510
|
|
@@ -122,29 +564,208 @@ opensecret is simple and holistically secure. *Simple* means less mistakes, less
|
|
122
564
|
Every domain is tied to backend storage which is accessible by you and others in your domain. You can use Git, S3, a networked filesystem or shared drive, a SSH accessible filesystem and soon, free storage from <tt>opensecret.io</tt>
|
123
565
|
|
124
566
|
|
125
|
-
|
567
|
+
## How to Use OpenSecret as an SDK | Require it from another Ruby program
|
126
568
|
|
127
|
-
|
569
|
+
You can require opensecret (as an SDK) and interact with it directly from any other Ruby program without wrappers.
|
128
570
|
|
129
|
-
|
571
|
+
$ gem install opensecret
|
572
|
+
$ irb
|
573
|
+
$ > require "opensecret"
|
574
|
+
$ > OpenSecret::Interprete.version()
|
130
575
|
|
131
|
-
|
576
|
+
The above should return the **installed version** of OpenSecret.
|
132
577
|
|
133
|
-
|
578
|
+
If you get a **LoadError (cannot load such file -- opensecret)** then try the below.
|
134
579
|
|
135
|
-
|
580
|
+
$ irb
|
581
|
+
$ > $LOAD_PATH
|
136
582
|
|
137
|
-
|
583
|
+
[
|
584
|
+
"/usr/share/rubygems-integration/all/gems/did_you_mean-1.2.0/lib",
|
585
|
+
"/usr/local/lib/site_ruby/2.5.0",
|
586
|
+
"/usr/local/lib/x86_64-linux-gnu/site_ruby",
|
587
|
+
"/usr/local/lib/site_ruby",
|
588
|
+
"/usr/lib/ruby/vendor_ruby/2.5.0",
|
589
|
+
"/usr/lib/x86_64-linux-gnu/ruby/vendor_ruby/2.5.0",
|
590
|
+
"/usr/lib/ruby/vendor_ruby",
|
591
|
+
"/usr/lib/ruby/2.5.0",
|
592
|
+
"/usr/lib/x86_64-linux-gnu/ruby/2.5.0"
|
593
|
+
]
|
138
594
|
|
139
|
-
``` bash
|
140
|
-
ls -lah /var/lib/gems/2.5.0/gems/
|
141
|
-
gem uninstall opensecret
|
142
|
-
```
|
143
595
|
|
144
|
-
If more than one version is installed you will be prompted to select the ones to delete.
|
145
596
|
|
146
|
-
You will also be asked whether the **opensecret executables** (which are **ops** and **opensecret**) should be removed. If you say yes they are removed from **/usr/local/bin**
|
147
597
|
|
598
|
+
## SAFE PROPOSED FUNCTIONALITY DOCUMENTATION
|
599
|
+
|
600
|
+
|
601
|
+
Before we can move to siloed safe workspaces and RELEASE the software into the public domain we must refactor file handling and implement vital methodologies for evolving the software.
|
602
|
+
|
603
|
+
## File Storage Methodology
|
604
|
+
|
605
|
+
- delete the concepts of content.id, content.iv and content.key in the context of files.
|
606
|
+
- add one more key to file verse @file.content and store the urlsafe base64 contents of the file there
|
607
|
+
|
608
|
+
@@@@@@@@@@@@ change
|
609
|
+
@@@@@@@@@@@@ change ==> maybe better to create a sub dictionary (map) for the file so will be
|
610
|
+
@@@@@@@@@@@@ change ==> key value pairs. Keys could be permissions - 755 | @content - BASE64 file representation | read.url - http://shareprices/mcdonalds.yaml | write.url $HOME/shares/mcds.yaml | type - binary
|
611
|
+
@@@@@@@@@@@@ change
|
612
|
+
|
613
|
+
This move means that if we wish to export and import we do not need to fiddle with chapter files vs file files.
|
614
|
+
|
615
|
+
---
|
616
|
+
|
617
|
+
## Advanced | Sub Lists and Sub Dictionaries
|
618
|
+
|
619
|
+
### Introduce Concept of Lists, Sets and Dictionaries within the Verse Mini Dictionary
|
620
|
+
|
621
|
+
This concept will come with more commands - like so
|
622
|
+
|
623
|
+
safe add favfoods rice
|
624
|
+
safe insert favfoods |5| potato ## Note first index is 0 -> Also -2 is 2nd last | default is -1 (append at the end)
|
625
|
+
safe remove favfoods chicken
|
626
|
+
safe pop favfoods |3|
|
627
|
+
safe place cityfacts {}
|
628
|
+
safe place cityfacts { "london" => "6,200,000", "beijing" => "20,500,000", "new york" => "9,300,000" }
|
629
|
+
safe get cityfacts beijing
|
630
|
+
safe remove cityfacts "new york"
|
631
|
+
|
632
|
+
Also you can now print in many formats including --hex, --json, --base64, --xml, --ini, --yaml
|
633
|
+
|
634
|
+
|
635
|
+
---
|
636
|
+
|
637
|
+
## Import Export Methodology
|
638
|
+
|
639
|
+
Now build export to simply spit out everything into plain text chapter files (within safe workspace - export section).
|
640
|
+
Then the json chapter files are tarred and compressed.
|
641
|
+
Build import to uncompress then unzip then use the JSON to re-create the database
|
642
|
+
|
643
|
+
---
|
644
|
+
|
645
|
+
## Upgrade methodology
|
646
|
+
|
647
|
+
This move opens the door to safe's beautifully simple upgrade methodology. To upgrade safe to a major or minor version you
|
648
|
+
|
649
|
+
- use the outgoing version to export all books
|
650
|
+
- then we upgrade safe
|
651
|
+
- then we use the new safe software to import and you are done.
|
652
|
+
|
653
|
+
---
|
654
|
+
|
655
|
+
Now we have cleared the path for a SIMPLE Backup and Restore method.
|
656
|
+
|
657
|
+
## Backup Restore Methodology
|
658
|
+
|
659
|
+
The backup/restore MUST BE VERSION AGNOSTIC (in as far as is human and machinely possible.
|
660
|
+
Employ the export first giving us first zip file.
|
661
|
+
Then add a backup meta-data file with details like who when why which tag which version and most IMPORTANTLY the random IV and SALT for the key that locks the exported content file.
|
662
|
+
|
663
|
+
The backup method retars up compresse both the metadata and the locked file. The new filename is like this.
|
664
|
+
|
665
|
+
safe.backup.<<book-name-code>>.<<time-stamp-millis>>.<<version>>.tar.gz
|
666
|
+
|
667
|
+
It adds it to the local safe backup workspace. It can only be done when logged in.
|
668
|
+
|
669
|
+
safe restore /path/to/backup/file.tar.gz
|
670
|
+
|
671
|
+
A restore will override the current in-place repository (after creating a backup of it) and user given option to rollback the restore.
|
672
|
+
|
673
|
+
This method (theoretially) allows a version 3.428.24952 to restore an export of version 1.823.03497
|
674
|
+
|
675
|
+
---
|
676
|
+
|
677
|
+
## Safe's Concurrency Methodology
|
678
|
+
|
679
|
+
A safe repository (book) can be changed by one session but read concurrently by multiple sessions.
|
680
|
+
|
681
|
+
Directory Links are NOT PORTABLE to use to point to the active workspace especially if we the safe root folder is on a USB key.
|
682
|
+
A GOOD engough concurrency technique is a lock file in the BOOK's root folder that is named `safe.concurrency.lockfile.<<book.id>>`
|
683
|
+
|
684
|
+
The contents of the file will hold the relative directory name (session ID based) that has the lock and the session ID that had it before that (if not first).
|
685
|
+
|
686
|
+
The <machine.id>.<bootup.id> is used to when the first read/write login session occurs. Subsequent logins for a read/write session will then have 2 choices in this shell.
|
687
|
+
|
688
|
+
- safe login ali.baba --steal # take over the primary read/write session
|
689
|
+
- safe login ali.baba --branch # leave primary session but open one that will not change the price of sugar
|
690
|
+
- safe login ali.baba --branch=master
|
691
|
+
- safe login ali.baba --branch=experimental
|
692
|
+
- safe login ali.baba -b experimental
|
693
|
+
|
694
|
+
safe login --steal
|
695
|
+
|
696
|
+
A third choice arises if we visit the shell holding the directory pointer and logout.
|
697
|
+
|
698
|
+
### safe logout command
|
699
|
+
|
700
|
+
Logout NEVER TOUCHES the lock file (it could have moved on multiple times so only login can act on it).
|
701
|
+
|
702
|
+
However logout DELETES the cipher.file intra-sessionary ciphertext that can be unlocked by session key to retrieve the content key. This action renders it impossible to read or write any data from logged in book.
|
703
|
+
|
704
|
+
A subsequent login can again re-instate this privilege.
|
705
|
+
|
706
|
+
## safe login command
|
707
|
+
|
708
|
+
At the very beginning a repository can come into being through either
|
709
|
+
|
710
|
+
- an init
|
711
|
+
- or a clone (from git,s3,ssh,local filesystem, http)
|
712
|
+
|
713
|
+
The first repo holds the live link.
|
714
|
+
|
715
|
+
Subsequent logins must perform two checks
|
716
|
+
|
717
|
+
- IS MY DIRECTORY (session) noted as the latest in the lock file (possible if you've logged out of the same shell)
|
718
|
+
- (if other directory) - Does the intra-sessionary key within that directory's cipher file have a value
|
719
|
+
|
720
|
+
The popup asking the user to STEAL or go READONLY is triggered if the answers above are NO then YES.
|
721
|
+
|
722
|
+
### Safe steal | HowTo
|
723
|
+
|
724
|
+
If intra key has no value then stealing is not necessary so the existence of the --steal flag does not change the price of sugar.
|
725
|
+
|
726
|
+
The Stealing flow of events is to
|
727
|
+
|
728
|
+
- copy the directory into a new one for this session named `<<book.id>>.<<timestamp>>.<<session.key>>`
|
729
|
+
- validate the directory for data consistency (nice to have functionality)
|
730
|
+
- collect the password and if invalid stop now
|
731
|
+
- grab the lock file and write it to point it to our directory (we are it)
|
732
|
+
- create our own intra-sessionary key and write it in within our folder
|
733
|
+
|
734
|
+
### Safe branch | HowTo
|
735
|
+
|
736
|
+
Starting a BRANCH allows you to read and write to a copied branched repository but this branch does not change the price of sugar.
|
737
|
+
|
738
|
+
In the future MERGE functionality may be implemented so that the database branch can be merged back into the master line.
|
739
|
+
|
740
|
+
May a safe overthrow command can be crudely done which rudely overthrows the main (government) line and installs this dictatorish branch as the leader - possibly trashing any changes that the master line may have since the branch occured.
|
741
|
+
|
742
|
+
|
743
|
+
## safe gc (garbage collector) | safe workspace prune
|
744
|
+
|
745
|
+
The prune command can delete workspaces if
|
746
|
+
- they are not the master branch AND
|
747
|
+
- they have not been changed in this bootup (or a logout has been issued againt them).
|
748
|
+
|
749
|
+
## safe WORO policy
|
750
|
+
|
751
|
+
chapter files can only be written once but can be read often.
|
752
|
+
This policy may make merging and diffs between branches easier in the future.
|
753
|
+
|
754
|
+
|
755
|
+
|
756
|
+
|
757
|
+
|
758
|
+
|
759
|
+
|
760
|
+
### Development
|
761
|
+
|
762
|
+
After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
763
|
+
|
764
|
+
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
765
|
+
|
766
|
+
### Contributing
|
767
|
+
|
768
|
+
Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/opensecret. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
|
148
769
|
|
149
770
|
License
|
150
771
|
-------
|
@@ -170,8 +791,3 @@ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
|
|
170
791
|
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
|
171
792
|
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
|
172
793
|
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
173
|
-
|
174
|
-
### Code of Conduct
|
175
|
-
|
176
|
-
Everyone interacting in the OpenSecret project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/opensecret/blob/master/CODE_OF_CONDUCT.md).
|
177
|
-
|