RClone Config Encrypted file - How to encrypt and what are the base contents in the project file? about secure-store HOT 12 OPEN

Hi,

I'm not sure I entirely understand the question, but you could generate an RClone configuration file to look inside using RClone itself: https://rclone.org/commands/rclone_config/. Once you create a remote it will show you a config file. By default without any encryption or configuration, it could be as simple as:

[local]
type = local

In terms of configuration, it is configured automatically and isn't intended to be edited manually as it contains keys.

from secure-store.

Sorry for the lack of better context,

I mean this file: https://github.com/balena-labs-research/secure-store/blob/main/keys/encrypt.conf

That I'm not sure what it does or how it got itself encrypted

from secure-store.

It is generated in this step from the readme:

Encrypt your files using a secure password. My example password is my-password-eQ4al9jgPxlWDwxL6uiGdznhhVJzaVQPnkNRjwvwoTvqWpeBJJJZ and is included below, replace it with your own.

docker run \
--device /dev/fuse \
--cap-add SYS_ADMIN \
-v ${PWD}/source:/app/source \
-v ${PWD}/encrypted:/app/storage \
-v ${PWD}/keys:/app/keys \
ghcr.io/balena-labs-research/secure-store \
-encrypt-content ./source/. \
-config-path ./keys/encrypt.conf \
-password my-password-eQ4al9jgPxlWDwxL6uiGdznhhVJzaVQPnkNRjwvwoTvqWpeBJJJZ

The files generated in ./keys should be stored in your GitHub Secrets and written to your container on build rather than kept in your GitHub repo but for now we will continue by copying them in to the containers through the Dockerfiles to be more transparent on how it works.

-config-path ./keys/encrypt.conf

You should remove the default encrypt.conf, and then it will generate you a new one.

from secure-store.

In that command by specifying -encrypt-content and -config-path if I delete the default it will create a new encrypt.conf and then use it to encrypt the contents of ./source in that order?

Sorry I'm not very familiar with Golang so it's a bit complex to me go over all the code without understanding first how the CLI works...

from secure-store.

In that command by specifying -encrypt-content and -config-path if I delete the default it will create a new encrypt.conf and then use it to encrypt the contents of ./source in that order?

Yes.

If encrypt.conf exists, it will use that to encrypt the files.
If encrypt.conf doesn't exist, it will generate a new key. The better option as you don't want to use the one published here in the public.
Then it takes the contents of source/', encrypts it with encrypt.conf key, and produces the encrypted files in encrypted`.

These are good questions, I am going to try and push a change in a minute to make it clearer and to avoid accidentally using the encrypt.conf that is already there.

from secure-store.

I think it's great to have a file created there already that works with the Balena application that can be deployed to test... In my case I just struggled understanding the steps and how flexible the process as later I need to adapt this into my own services

from secure-store.

I was thinking something like this: https://github.com/balena-labs-research/secure-store/pull/3/files

The demo still works, but now when you run the docker command I mentioned above, you see a new encrypt.conf file generated rather than it using the one that already exists. I know it's still not going to be super easy to understand, but think that's a bit better?

from secure-store.

It makes sense! If I could add a recommendation, for the commands to start the secure-store client it would be nice to mention that there is an option to force unmount force-unmount for when someone is testing

from secure-store.

Did you run in to an instance where that was required? Where in the docs would it be helpful?

from secure-store.

So when testing with my own password and just the project in general with small variations I made mistakes testing and I would get errors later like:

/app # /app/secure-store -decrypt -local $STORE_PASSWORD ./start.sh 
Attempting decrypt...
 Decrypting environment variable ENCRYPTED_TESTVAR
2023/02/01 16:16:16 mount helper error: fusermount: failed to access mountpoint /app/decrypted: Socket not connected
FATA[0000] failed to mount FUSE fs: fusermount: exit status 1

This would be fixed by doing the same command but like this:

/app/secure-store -decrypt -local $STORE_PASSWORD -force-unmount ./start.sh

But I got lucky that I found the command when checking the secure-store binary and gave it a try so it could be helpful I think to mention it.

from secure-store.

I see what you mean.

You can run -help on the binary to see all the options:

./secure-store -help
Usage of ./secure-store:
  -base64
        Generate base64 outputs instead of files
  -certificate-path string
        Path for the MTLS certificate (default "./cert.pem")
  -config-path string
        Path for the config file (default "./encrypt.conf")
  -decrypt
        Start the mTLS client, look for a decryption key on the provided address and port and then attempt a decrypt
  -encrypt-content -password
        Encrypt the content of the provided path. This flag requires the -password flag
  -env-only
        Decrypt the encrypted environment variables, but do not create a mount
  -force-unmount
        Attempt a forced unmount of the mount path before mounting
  -generate-keys
        Generate the two mTLS keys and save them as files
  -hostname string
        Override the default hostname for the server and MTLS key configuration (default "localhost")
  -key-path string
        Path for the MTLS key (default "./key.pem")
  -local string
        Create an encrypted mount locally using the provided password
  -new-key
        Generate a random key for use in your Secure Store
  -password -string
        The password to encrypt the string passed via -string
  -path string
        Path for your decrypted content (default "./decrypted")
  -port string
        Override the default port for the client and server (default "8443")
  -server
        Start the mTLS server and listen for key requests
  -string -password
        String to be encrypted. This flag requires the -password flag

Not sure how best to incorporate it. Maybe a note for users to check -help? Or specifically for the force mount? Ideally I try not to copy and paste output commands of -help in to READMEs, in case they change and then forget to update the README.

You think you could raise a PR on wherever you think it would be most helpful to have had that info?

from secure-store.

Sure, I'm working right now on the integration of these projects, I'll give it some thought on where I can incorporate it in the README. Initially I think just a note to check the -help option and that there could be helpful information for specific error messages similar to the one I placed above.

I'll give it a bit more thought...

from secure-store.