aboutsummaryrefslogtreecommitdiff
path: root/README.md
blob: 45528735994f89f6c78fdb13e3a8ff32aecf791a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
# Keyringer: encrypted and distributed secret sharing software

Keyringer lets you manage and share secrets using GnuPG and Git with custom
commands to encrypt, decrypt, recrypt, create key pairs, etc.

* Repository and issue tracker: [https://0xacab.org/rhatto/keyringer](https://0xacab.org/rhatto/keyringer)
* Repository mirror: [https://git.fluxo.info/keyringer](https://git.fluxo.info/keyringer)
* Archived issue trackers:
  * [Built-in Taskwarrior database](/tasks).
  * [Trac](https://keyringer.fluxo.info/trac)
* Manpage: [keyringer.1](share/man/keyringer.1)
* License: [GPLv3+](LICENSE)
* Tor Onion Service: [http://fpwwehb7ngvmxwl5ahtubh5gs5i4olmrubx73zlnzheubhjweik5irid.onion](http://fpwwehb7ngvmxwl5ahtubh5gs5i4olmrubx73zlnzheubhjweik5irid.onion)
* Releases: [https://keyringer.fluxo.info/releases](releases)
* Contact: rhatto at riseup.net

Index
-----

[TOC]

Installation
------------

Just clone

    git clone https://0xacab.org/rhatto/keyringer.git

You can also verify the latest commit's OpenPGP signature:

    /usr/bin/git -C keyringer verify-commit HEAD

Note that `/usr/bin/git` is called to avoid any other `git` wrappers or aliases
you might have available on your shell.

You can also add the `keyringer` script into your `$PATH` environment variable
or package it to your preferred distro.

If you're using Debian `stable` or newer, just run

    apt-get install keyringer

Creating a keyringer repository
-------------------------------

The first step is to setup a keyring.

Keyringer supports management of multiple isolated keyrings.  To start
a new keyring (or register an existing one with your config file), run:

    keyringer <keyring> init <path> [remote]

This will

  1. Add an entry at `$HOME/.keyringer/config` aliasing 'keyring' to 'path'.
  2. Initialize a git repository if needed.

For example,

    keyringer friends init $HOME/keyrings/friends

creates an alias "friends" pointing to `$HOME/keyrings/friends`. All
other keyring actions for this keyring should be called using this alias.

If there is an existing remote keyring git repository and you just
want to checkout it, use

    keyringer friends init $HOME/keyrings/friends <repository-url>

Managing secrets
----------------

Each `secret` has a corresponding file inside `keys` subdirectory from the
keyring folder. Keyringer has plenty of actions to operate in these secrets:

   keyringer <keyring> commands

Encrypting a secret

    keyringer <keyring> encrypt <secret>

Encrypting a secret from a file

    keyringer <keyring> encrypt <secret> <plaintext-file>

Decrypting a secret (only to stdout)

    keyringer <keyring> decrypt <secret>

Re-encrypting a secret or the whole repository

    keyringer <keyring> recrypt [secret]

Appending information to a secret

    keyringer <keyring> append <secret>

Editing a secret

    keyringer <keyring> edit <secret>

Use this option with caution as it keeps temporary unencrypted data
into a temporary folder.

Listing secrets

    keyringer <keyring> ls [arguments]

Git wrapper
-----------

Keyringer comes with a simple git wrapper to ease common management tasks:

    keyringer <keyring> git remote add keyringer <url>
    keyringer <keyring> git push keyringer master
    keyringer <keyring> git pull

Configuration files, preferences, options and recipients
--------------------------------------------------------

Basic keyringer operation depends in a set of configuration files:

  1. Main config file: `$HOME/.keyringer/config`: store the location of
     each keyring.

  2. User preferences per keyring: `$HOME/.keyringer/<keyring>`: managed by
     "keyringer <keyring> preferences". Preferences aren't shared among
     users, so each user can have it's own set of preferences.

  3. Custom keyring options: `$KEYRING_FOLDER/config/options`: managed by
     "keyringer <keyring> options". Options are shared among all
     keyring users.

  4. Recipients: `$KEYRING_FOLDER/config/recipients/`: controls the list of
     OpenPGP public key fingerprints that should be used when encrypting content.
     Multiple recipients are supported, so secrets can be encrypted to
     different sets of OpenPGP pubkeys in the same keyring.

Other configuration parameters used by keyringer and it's actions are stored at
`$KEYRING_FOLDER/config/`.

Using a non-default OpenPGP key
-------------------------------

If you want to use a different key other than your default for a given
keyringer, use

    keyringer <keyring> preferences add KEYID=<fingerprint>

Example:

    keyringer <keyring> preferences add KEYID=0123456789ABCDEF0123456789ABCDE012345678

Managing recipients
-------------------

Keyringer uses the `default` recipient stored at `$KEYRING_FOLDER/config/recipients/default`
as the standard list of OpenPGP public key fingerprints to which secrets should be encrypted.

Additionally, keyringer supports multiple `recipient` files which can have a different set
of OpenPGP public key fingerprints used for encryption.

Recipients are matched against secrets according to it's path. If there exists a recipient
called `accounting`, the following secret will be encrypted using it's OpenPGP public key
fingerprints:

    keyringer <keyring> encrypt accounting/balance

In other words, the `accounting` recipient file is used because the secret name begins
with `accounting`.

So it's the case that recipients listed in the `default` recipient but not in the
`accounting` recipients won't be able to decrypt this secret.

When you first initalized your keyring, keyringer might have asked you to populate
the `default` recipient list or you cloned a keyring repository which already has
the `default` recipient.

If you want more recipient files, your next step is tell keyringer the OpenPGP
key IDs to encrypt files to:

    keyringer <keyring> recipients edit [recipient-name]
    keyringer <keyring> recipients ls

Remember that keyringer support multiple recipients in a per-folder style. Try
it by creating a sample recipient file:

    keyringer <keyring> recipients edit closest-friends

Fill it with your friends key IDs. Now encrypt a secret just for then:

    keyringer <keyring> encrypt closest-friends/secret

In other words, if keyringer finds a recipient file matching a given path,
it will use it instead of the global recipients file.

You can even create recipient files with your friends' key IDs but without
yours: then you shall be able to encrypt secrets for them that even you cannot
access. Try to find an use case for that ;)

Each recipient list is defined in a file placed at `config/recipients` in your
keyring repository. Take care to add just trustable recipients.

Design
------

Keyringer's basic concepts are as follows:

  - Each secret is encrypted using multiple users's OpenPGP public keys and commit the
    output in a git repository we call a "keyring".

  - A "recipient" a list of OpenPGP keys associated with a path in the keyring, so each
    keyring can have multiple recipient definitions so secret compartmentalization is
    builtin. All encryption should respect recipient definition.

  - Users can keep their keyring copies in sync using any git remote and push/pull
    strategy they like, so key sharing gets easy.

  - A secret is not limited to passphrases or text: keyringer supports any file encryption,
    so managing private keys, spreadsheets and media files are handled without distinction.

  - Secret is stored with OpenPGP ASCII-armoured output, so one doesn't need any special
    program besides GnuPG to actually decrypt information.

  - Keyringer is agnostic about how you store your secrets. You may choose to have
    one encrypted file that contains one line for each secret, e.g. a single file called
    secrets with lines such as:

        emma : root : secret1
        emma - /dev/hda : : secret2

    Or you may also have a different encrypted file for each secret, e.g. a file called
    `emma.root` that contains the root passphrase for the server named `emma` and
    another called `emma.hda` with the passphrase to decrypt `/dev/hda` on `emma`.

    Creating a logical structure to store your secrets is up to you :)

Workflow
--------

Keyringer can be used as a personal or shared password/secret manager:

  - Each keyring is a full git repository used to store encrypted secrets
    using ASCII-armoured OpenPGP.

  - Actions like `encrypt` allows you to paste your secrets directly to
    GnuPG so no plaintext is written to disk.

  - By commiting, pushing and pulling each keyring repository, you can
    easily share secrets with other people and systems and they don't
    need to decrypt this information until they need.

In summary, keyringer data store is basically gpg-encrypted data atop of a git
repository (one can think of a kind of distributed encrypted filesystem).

Git was chosen to host encrypted info mostly for two reasos: easy to distribute
and its the only VCS known to make easier repository history manipulation.

Limitations
-----------

See the [manpage](share/man/keyringer.1) for details.

Alternatives
------------

There are many alternatives do collaborative secret management. Here are some:

* [Pass: The Standard Unix Password Manager](https://www.passwordstore.org/)
* [SOPS: Secret OPerationS: Simple and flexible tool for managing secrets](https://github.com/mozilla/sops)

Also check

* [This page](https://wiki.koumbit.net/PasswordManagementService/SoftwareComparison)
  a comparison on different password management tools.
* [This issue](https://gitlab.torproject.org/tpo/tpa/team/-/issues/29677) for an
  additional discussion.

Requirements
------------

Keyringer needs:

* [Bash](http://tiswww.case.edu/php/chet/bash/bashtop.html)
* [Git](http://git-scm.com)
* [GNU Privacy Guard](http://gnupg.org)
* Grep, awk, tail, cut, sed and other GNU tools

Optional dependencies if you want to manage ssl keys:

* [OpenSSL](http://www.openssl.org)

Development guidelines
----------------------

See [development](development.md).