From b1b2665c8a8ba8bb741fdce95255f1874b2f2eb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ga=C3=ABtan=20Lehmann?= Date: Sat, 3 Feb 2024 15:44:06 +0100 Subject: [PATCH] some readme enhancements --- README.md | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index eb5ec9a..3745744 100644 --- a/README.md +++ b/README.md @@ -29,12 +29,17 @@ workflows. If you think this looks a lot like [SOPS](https://getsops.io/), you're right! This is basically what SOPS is doing, but we some key differences: -* `yage` doesn't include any extra data in the encrypted file, in particular no `mac` field. This - allow the encrypted file to be modified by someone that only has the public key, while still preserving - the encrypted values. +* `yage` doesn't include any metadata in the encrypted file, in particular no [MAC](https://en.wikipedia.org/wiki/Message_authentication_code). * `yage` is focused on age encryption, and include everything required in a single binary. -* `yage` arguments and options are designed to be easy to use in a CI/CD pipeline, in a shell script, - in a git hook or interactively. + +The lack of MAC, while it could be seen as a missed opportunity to add some security, actually allows +some interesting use cases: + * the encrypted file can modified by someone that only has the public key, while still preserving + the encrypted values. + * the encrypted file can modified by multiple persons and merged in a version control system without + having to decrypt it first. + * the encrypted file only contains the original keys and the encrypted values, so it can be used + to verify that it is usable for a specific task without having to decrypt it or remove the metadata. ## Installation @@ -204,6 +209,22 @@ with the environment variables set to the decrypted values in a single command: $ yage run -K prod.key secrets.yaml env terraform apply ``` +## Why? + +Mostly to unlock the ability to add values to an encrypted file without having to decrypt it, +thing that is not possible with SOPS. Something I've not been the only one frustrated with, see +[here](https://github.com/getsops/sops/discussions/1081), +[here](https://stackoverflow.com/questions/74103453/is-it-possible-to-update-a-sops-encrypted-file-without-decrypting-it-first), +[here](https://github.com/getsops/sops/issues/1117), [here](https://github.com/getsops/sops/issues/833), … + +And because writing command line tools in rust is fun! + +## Still to be done + +* [ ] Add tests. Coming soon! +* [ ] Add a status command to ensure the whole file is encrypted/decrypted +* [ ] Support comments. Sadly no YAML library that I know of supports comments, so this will be a bit tricky. + ## License `yage` is distributed under the terms of the MIT license.