diff options
-rw-r--r-- | index.mdwn | 20 | ||||
-rwxr-xr-x | lib/keyringer/functions | 8 | ||||
-rw-r--r-- | share/man/keyringer.1.mdwn | 8 |
3 files changed, 19 insertions, 17 deletions
@@ -26,7 +26,7 @@ Just clone And then leave it somewhere, optionally adding it to your `$PATH` environment variable or package it to your preferred distro. -If you're using debian `jessie` or `unstable`, just run +If you're using Debian `jessie` or `unstable`, just run apt-get install keyringer @@ -60,7 +60,7 @@ want to checkout it, use Managing recipients ------------------- -Your next step is tell keyringer the GPG key ids to encrypt files to: +Your next step is tell keyringer the OpenPGP key IDs to encrypt files to: keyringer <keyring> recipients edit [recipient-name] keyringer <keyring> recipients ls @@ -168,11 +168,11 @@ Concepts Basic idea is: - - Encrypt screts using multiple users's gpg public keys and commit the output in a git repo. + - Encrypt screts using multiple users's OpenPGP public keys and commit the output in a git repository. - Let users keep it in sync with the repository and the secrets are shared :) -For "secrets" it's meant anything as the script work with stdin and output things to +Secrets can be any regular file as the script work with stdin and output things to files, so it can be passphrases, private keys or other kind of information. With theses scripts, the workflow is more or less like this: @@ -180,7 +180,7 @@ With theses scripts, the workflow is more or less like this: - You have a git repo for secret keys. - You run the "encrypt" command and paste your private key to this - command (so no plaintext disk write). + command (so no plaintext is written to disk). - The encrypt command writes an encrypted file to the repo. @@ -189,15 +189,17 @@ With theses scripts, the workflow is more or less like this: - Optionally, other users pulls the changes but they dont need to decrypt anything until they need to use the keys. -So it's just gpg-encrypted data atop of a git repository (one can think of a -kind of distributed encrypted filesystem). +In summary, keyringer data store is basically gpg-encrypted data atop of a git +repository (one can think of a kind of distributed encrypted filesystem). Git was chosen to host encrypted info mostly for two reasos: easy to distribute and its the only VCS known to make easier repository history manipulation. One possible drawback: the repo has pubkey information attached, which can be -linked to real ppl (and then disclose the information about who has access to a -given key), but it's possible to: +linked to real people (and then disclose the information about who has access to a +given key). + +To mitigate that, it's possible to: - Keep the repo just atop of an encrypted and non-public place. diff --git a/lib/keyringer/functions b/lib/keyringer/functions index 832385e..5936ff0 100755 --- a/lib/keyringer/functions +++ b/lib/keyringer/functions @@ -544,7 +544,7 @@ function keyringer_check_repository { # Git maintenance operations echo "Running git maintenance operations..." keyringer_exec git "$BASEDIR" fsck - keyringer_exec git "$BASEDIR" gc --prune=all + keyringer_exec git "$BASEDIR" gc echo "" # Sync the repository @@ -581,7 +581,7 @@ function keyringer_check_recipient_size { local size=$(echo "$recipient" | wc -c) if (( $size < 41 )); then - echo "Fatal: please set the full GPG signature hash for key ID $recipient:" + echo "Fatal: please set the full OpenPGP fingerprint for key ID $recipient:" cat <<-EOF Please provide a full OpenPGP fingerprint, for example: @@ -671,8 +671,8 @@ function keyringer_check_recipient_key { fi echo "" else - echo "Fatal: no such key $recipient on your GPG keyring." - echo "Please check for this key or fix the recipient file." + echo "Fatal: no such key $recipient on your OpenPGP keyring." + echo "Please retrieve this key yourself or fix the recipient file." exit 1 fi diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn index 84895c2..adbaaa2 100644 --- a/share/man/keyringer.1.mdwn +++ b/share/man/keyringer.1.mdwn @@ -20,8 +20,8 @@ re-encrypt secrets. It also supports encryption to multiple recipients and groups of recipients, to allow a workgroup to share access to a single repository while restricting some secrets to subsets of the group. -Secrets are encrypted using GPG and added to a Git tree so that they can be -synced with remote branches later. +Secrets are encrypted using OpenPGP and added to a Git tree so that they +can be synced with remote branches later. # ACTIONS @@ -160,7 +160,7 @@ clip <*secret*> : Copy the first line of a secret to the clipboard, following password-store convention. xclip <*secret*> -: Alis to clip action. +: Alias to clip action. # CONFIGURATION ACTIONS @@ -209,7 +209,7 @@ recipients <*ls*|*edit*> <*recipients-file*> Each line in a recipients file has entries in the format 'john@doe.com XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', where *john@doe.com* - is an alias for the GPG public key whose fingerprint is + is an alias for the OpenPGP public key whose fingerprint is *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.* All lines starting with the hash (#) character are interpreted as comments. |