Lightweight solution for using encrypted passwords in shell scripts
This is a fix for the regex that strips one or more hyphens from the shell name that could be present when encpass.sh is invoked. Typically this occurs when it is invoked from a login shell. Thanks to @whalehub for the PR!
This release adds support for invoking CLI commands multiple times (e.g. importing multiple secrets from a shell script)
Example:
. encpass.sh
encpass_cmd_import -fop secret1.enc
encpass_cmd_import -fop secret2.enc
It also reduces the number of calls to encpass_checks and addresses an issue (https://github.com/plyint/encpass.sh/issues/24) where the shell name (or script name) might contain a hyphen. All preceding hyphens are now stripped from argument 0 that corresponds to the invoking shell or script name.
This release fixes an issue (https://github.com/plyint/encpass.sh/issues/19) with the help command not displaying on macOS. It also now falls back to outputting directly to less when man is not available on a system.
Added command line completion for the bash shell for the version command.
Fixed minor quoting and argument errors that were being reported by shell check for the new version command.
Added support for a version command, which will output the tag version for encpass.sh and the SHA256 checksums (if sha256sum is available) for encpass.sh and any enabled extension.
$ encpass.sh version
tag version: v4.1.0
SHA256 Checksum: d4e57f32106a8820901b43cd6398e8a42f9df96010a3074d57bde7ffd0e781e7 /usr/local/bin/encpass.sh
SHA256 Checksum: 5f8a0bcad3033322f9ffbf78cf58d7f02ec599712a0d57e2f83690fc22d43ba6 /usr/local/bin/encpass-keybase.sh
The tag version corresponds to the git commit that is tagged with that same version number. It is possible that the script on your local could contain additional changes beyond that particular tag version (e.g. you pulled it directly from the master branch), but those changes would only at most go up to just before the next tag version number.
You can determine if your version of encpass.sh is identical to a specific commit or tag in the official repo by computing the SHA256 checksum of a particular commit of the encpass.sh script. To find the SHA256 checksum of an encpass.sh commit or tag from the git repo, just curl the raw script to your local and pipe it into sha256sum:
curl --silent https://raw.githubusercontent.com/plyint/encpass.s/93d42340c24e62132049430dd26c26736697e440/encpass.sh | sha256sum
This release contains a lot of changes that have been accumulating on the master branch.
From a security standpoint the default implementation with OpenSSL has improved through the use of named pipes. Previously, there was a very small window of time where the secret is passed to the openssl command that a user on the same machine might be able to discover the secret. By using a named pipe this is no longer possible. Of course, this does not prevent the root user from accessing secrets/keys, so always exercise caution if you don't trust who has root access to the machine you are using.
encpass.sh also has support for adding extensions now. The first extension that exists is the encpass-keybase.sh extension. This extension replaces the default OpenSSL encryption backend and instead uses Keybase's Saltpack encryption as well as Keybase per-user and per-team keys and encrypted git repos. This makes it easy to share and manage secrets with any team on Keybase. See the extension documentation for details.
The third big feature added is import/export commands. This allows the keys/secrets to be exported to a gzipped tar archive, which allows you to easily move or replicate your secrets to different machines or share secrets with a colleague. The compressed archive can also be encrypted with a password to add additional security.
Below is the consolidated list of all updates:
A password value was not being enforced when locking keys; however, when unlocking keys a password value was required to be provided. This could lead to an issue where the keys could not be unlocked. The logic has now been made consistent.
Fixed error scenarios for locking/unlocking where failed attempts to unlock a file could later cause corruption via subsequent unlocking or locking attempts. Also, improved error messaging for locking.
The README file has also been updated with the description on how to invoke shellcheck for testing.
Shellcheck is now fully integrated as part of encpass.sh development process and has been run on encpass.sh and all current issues have been addressed. There are some instances where we want globbing to occur to allow bulk operations to be performed with encpass.sh and those warnings are now properly suppressed in encpass.sh.
Along with shellcheck various other items were completed. Here is the full list: