* feat: Add cryptfs storage backend for filename encryption
This commit introduces a new storage backend called `cryptfs`. This backend encrypts the filenames of secrets to enhance privacy while maintaining compatibility with existing VCS backends like Git.
Key features:
- For each secret, a cryptographically secure hash (SHA-256) of its name is generated and used as the filename for the underlying storage.
- A mapping from the original secret name to the hashed filename is maintained in an encrypted file (`.gopass-mapping.age`) within the repository.
- The mapping file is encrypted using the `age` encryption backend, with recipients read from the store's `.age-recipients` file.
- The `cryptfs` backend is implemented as a wrapper around any existing storage backend (e.g., `gitfs`, `fs`), which can be configured by the user.
- The backend is registered with gopass and can be enabled by setting `storage: cryptfs` in the store's configuration.
This implementation addresses issue #2634.
* [fix] Fix lint errors
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* [chore] Fix the remaining tests and add some docs.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
---------
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: Dominik Schulz <dominik.schulz@gauner.org>
This change adds GoDoc comments to many of the public symbols in the
`pkg/` directory. It also includes various improvements to the
documentation in `README.md` and other markdown files in the `docs/`
directory.
This is a partial documentation effort, as requested by the user, to
get a pull request submitted quickly.
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
* feat(age): Add unlock command to age agent
This change introduces a proper lock/unlock mechanism for the age agent.
The issue was that after locking the agent with `gopass age lock`, there was no way to unlock it without restarting the agent. This made the lock command mostly useless.
This change introduces a new `unlock` command for the agent and a `locked` state.
- The `lock` command now sets a `locked` flag to `true` in addition to clearing identities.
- The `decrypt` function in the agent now checks this `locked` flag and returns an error if the agent is locked.
- When the gopass client receives the "agent is locked" error, it will ask the user for their passphrase, reload the identities, and send them to the agent.
- A new `gopass age agent unlock` CLI command is added to trigger this new functionality.
- The `gopass age agent status` command is enhanced to report whether the agent is locked.
- The old top-level `gopass age lock` command is hidden, and a new `gopass age agent lock` command is introduced for consistency.
Fixes#3242
* feat(age): Add unlock command to age agent
This change introduces a proper lock/unlock mechanism for the age agent.
The issue was that after locking the agent with `gopass age lock`, there was no way to unlock it without restarting the agent. This made the lock command mostly useless.
This change introduces a new `unlock` command for the agent and a `locked` state.
- The `lock` command now sets a `locked` flag to `true` in addition to clearing identities.
- The `decrypt` function in the agent now checks this `locked` flag and returns an error if the agent is locked.
- When the gopass client receives the "agent is locked" error, it will ask the user for their passphrase, reload the identities, and send them to the agent.
- A new `gopass age agent unlock` CLI command is added to trigger this new functionality.
- The `gopass age agent status` command is enhanced to report whether the agent is locked.
- The old top-level `gopass age lock` command is hidden, and a new `gopass age agent lock` command is introduced for consistency.
I have also addressed the PR comment about the import alias. I have removed the alias and used a dot import instead to avoid the name collision.
Fixes#3242
* feat(age): Add unlock command to age agent
This change introduces a proper lock/unlock mechanism for the age agent.
The issue was that after locking the agent with `gopass age lock`, there was no way to unlock it without restarting the agent. This made the lock command mostly useless.
This change introduces a new `unlock` command for the agent and a `locked` state.
- The `lock` command now sets a `locked` flag to `true` in addition to clearing identities.
- The `decrypt` function in the agent now checks this `locked` flag and returns an error if the agent is locked.
- When the gopass client receives the "agent is locked" error, it will ask the user for their passphrase, reload the identities, and send them to the agent.
- A new `gopass age agent unlock` CLI command is added to trigger this new functionality.
- The `gopass age agent status` command is enhanced to report whether the agent is locked.
- The old top-level `gopass age lock` command is hidden, and a new `gopass age agent lock` command is introduced for consistency.
To avoid name collisions with the imported `filippo.io/age` package, the local `age` package has been renamed to `agecrypto`.
Fixes#3242
* feat(age): Add auto-lock feature to age agent
This change introduces an auto-lock feature for the age agent. The agent will now automatically lock itself after a configurable period of inactivity.
This change also includes the initial fix for issue #3242, which introduced a proper lock/unlock mechanism for the age agent.
- A new config option `age.agent-timeout` is added to specify the inactivity timeout in seconds.
- The agent now has a timer that is reset on every successful decryption operation.
- If the timer expires, the agent locks itself.
- A new `set-timeout` command is added to the agent protocol to configure the timeout.
- The gopass client sends the timeout to the agent when it starts or when it unlocks the agent.
- A new test `TestAgentAutoLock` is added to verify the new functionality.
To avoid name collisions with the imported `filippo.io/age` package, the local `age` package has been renamed to `agecrypto`.
Fixes#3242
* [fix] Fix lint issues
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
---------
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: Dominik Schulz <dominik.schulz@gauner.org>
* This change introduces an agent for the age backend to cache passphrases for age identities.
The agent is a long-running process that listens on a Unix domain socket. Gopass communicates with the agent to request decryption of secrets. The agent caches the passphrases for the identities and performs the decryption, so the passphrases never leave the agent process. This addresses the security concerns with the initial implementation.
The agent can be controlled with the following commands:
- `gopass age agent`: starts the agent in the foreground.
- `gopass age lock`: locks the agent, clearing all cached passphrases.
The age backend will automatically start the agent if it's not already running and the `age.agent-enabled` configuration option is set to `true` (the default).
This change includes:
- The implementation of the age agent in `internal/backend/crypto/age/agent/`.
- Modifications to the age backend to communicate with the agent.
- A new configuration option `age.agent-enabled`.
- Unit tests for the agent.
- Updated documentation for the age backend.
The integration test for this feature (`TestAgeAgent`) is currently failing. The issue is that the test environment is non-interactive, and the code path for initializing a new age store requires a password for the identity keyring, which triggers a `pinentry` call that fails without a TTY. I have tried several approaches to work around this, including setting the `GOPASS_PASSWORD` environment variable and providing a custom pinentry script, but none have been successful so far. The core implementation of the agent is believed to be correct, but the integration test needs further work to run in a non-interactive environment.
* This change introduces an agent for the age backend to cache passphrases for age identities.
The agent is a long-running process that listens on a Unix domain socket. Gopass communicates with the agent to request decryption of secrets. The agent caches the passphrases for the identities and performs the decryption, so the passphrases never leave the agent process. This addresses the security concerns with the initial implementation.
The agent can be controlled with the following commands:
- `gopass age agent`: starts the agent in the foreground.
- `gopass age lock`: locks the agent, clearing all cached passphrases.
The age backend will automatically start the agent if it's not already running and the `age.agent-enabled` configuration option is set to `true` (the default).
This change includes:
- The implementation of the age agent in `internal/backend/crypto/age/agent/`.
- Modifications to the age backend to communicate with the agent.
- A new configuration option `age.agent-enabled`.
- Unit tests for the agent.
- Updated documentation for the age backend.
* This change introduces an agent for the age backend to cache passphrases for age identities.
The agent is a long-running process that listens on a Unix domain socket. Gopass communicates with the agent to request decryption of secrets. The agent caches the passphrases for the identities and performs the decryption, so the passphrases never leave the agent process. This addresses the security concerns with the initial implementation.
The agent can be controlled with the following commands:
- `gopass age agent`: starts the agent in the foreground.
- `gopass age lock`: locks the agent, clearing all cached passphrases.
The age backend will automatically start the agent if it's not already running and the `age.agent-enabled` configuration option is set to `true` (the default).
This change includes:
- The implementation of the age agent in `internal/backend/crypto/age/agent/`.
- Modifications to the age backend to communicate with the agent.
- A new configuration option `age.agent-enabled`.
- Unit tests for the agent.
- Updated documentation for the age backend.
* This change introduces an agent for the age backend to cache passphrases for age identities.
The agent is a long-running process that listens on a Unix domain socket. Gopass communicates with the agent to request decryption of secrets. The agent caches the passphrases for the identities and performs the decryption, so the passphrases never leave the agent process. This addresses the security concerns with the initial implementation.
The agent can be controlled with the following commands:
- `gopass age agent`: starts the agent in the foreground.
- `gopass age lock`: locks the agent, clearing all cached passphrases.
The age backend will automatically start the agent if it's not already running and the `age.agent-enabled` configuration option is set to `true` (the default).
This change includes:
- The implementation of the age agent in `internal/backend/crypto/age/agent/`.
- Modifications to the age backend to communicate with the agent.
- A new configuration option `age.agent-enabled`.
- Unit tests for the agent.
- Updated documentation for the age backend.
* Fix some test failures and add more logging.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Fix lint error
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* [fix] Fix integration tests
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
---------
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: Dominik Schulz <dominik.schulz@gauner.org>
* feat: handle referencing in passwords
Signed-off-by: Parham Alvani <parham.alvani@gmail.com>
* feat: use seq over slice to improve performance
Signed-off-by: Parham Alvani <parham.alvani@gmail.com>
* feat: handle error during reference following
Signed-off-by: Parham Alvani <parham.alvani@gmail.com>
* feat: provide a flag for not following references
Signed-off-by: Parham Alvani <parham.alvani@gmail.com>
* feat: disable ref following on edit and remove the flag
Signed-off-by: Parham Alvani <parham.alvani@gmail.com>
* feat: provide a configuration for follow-references
Signed-off-by: Parham Alvani <parham.alvani@gmail.com>
* fix: correct configuration tests
Signed-off-by: Parham Alvani <parham.alvani@gmail.com>
* fix: correct tests and document the new flag
Signed-off-by: Parham Alvani <parham.alvani@gmail.com>
* fix: correct integration test
Signed-off-by: Parham Alvani <parham.alvani@gmail.com>
* fix: correct tests
Signed-off-by: Parham Alvani <parham.alvani@gmail.com>
---------
Signed-off-by: Parham Alvani <parham.alvani@gmail.com>
* specify ssh dir
Signed-off-by: Joel Lau <joellau@protonmail.com>
* added documentation, prefer GOPASS_SSHDIR
Signed-off-by: Joel Lau <joellau@protonmail.com>
* check for empty path
Signed-off-by: Joel Lau <joellau@protonmail.com>
---------
Signed-off-by: Joel Lau <joellau@protonmail.com>
* [FEATURE] Allow for non-interactive age setup
Also updates Go to Go 1.23.2 and get rid of min and max functions
Signed-off-by: Yolan Romailler <AnomalRoil@users.noreply.github.com>
* [n/a] also renaming clear for Windows
Signed-off-by: Yolan Romailler <AnomalRoil@users.noreply.github.com>
* [n/a] bumping our GHA to Go 1.23
Signed-off-by: Yolan Romailler <AnomalRoil@users.noreply.github.com>
* [n/a] make our harden runner softer
Signed-off-by: Yolan Romailler <AnomalRoil@users.noreply.github.com>
* [n/a] make our harden runner accept go.dev
Signed-off-by: Yolan Romailler <AnomalRoil@users.noreply.github.com>
* [n/a] applying code review changes
Signed-off-by: Yolan Romailler <AnomalRoil@users.noreply.github.com>
---------
Signed-off-by: Yolan Romailler <AnomalRoil@users.noreply.github.com>
* [feat] Add verbosity levels to the debug package
Use debug.V(N).Log instead of debug.Log to indicate message
verbosity (higher numbers indicate more verbose messages).
Use GOPASS_DEBUG_VERBOSE=N to control the desired level
of verbosity in the log output.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Document the verbosity env vars.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Allow negative verbosity values
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
---------
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* [feature] Add new pwgen options to capitalize and include numbers in
xkcd style passwords.
Depends on martinhoefling/goxkcdpwgen#10
Fixes#2573
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Recommend bash-completion
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Replace the goxkcdgenerator dependency with the fork until it is merged.
Also adds and fixes some config options related to the xkcd pwgen.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
---------
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* [CLEANUP] Moving options to the correct config section
This adds an easy migration path to our config handling, which should
allow us to migrate option names around much more easily in the future.
Any system level config or env variables options are not migrated.
This also fixes a bug in our test code, where the root mount path was
not properly set in our config, because we used "path:" instead of
"path=" to set it.
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [DOCUMENTATION] Document legacy options and their migration path
This also makes sure that legacy options aren't used in the code anymore using the docs test and its regexp
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [n/a] Removing weird spaces from changelog
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [DOCUMENTATION] Reformatting our Markdown tables properly
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [TESTING] Patching a timezone bug in tests
This is a fun one where if your Timezone isn't UTC and you are past midnight but it's not past midnight UTC, the tests would fail because you're not using the right date to validate it.
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [n/a] Fix a typo and use the correct Env variables in the doc about the custom Env variables
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [BREAKING] Custom Env options moved from GOPASS_CONFIG_CONFIG_KEY_i to GOPASS_CONFIG_KEY_i
As discussed in #2617, this actually reflects the way GIT_CONFIG works.
It also fixes a potential Panic in our codebase when IsSet was called
without any Preset config on a non-existing key.
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [CLEANUP] Patching all of the new linter complaints
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [CLEANUP] Use Go1.21 everywhere
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [n/a] Increase our Golangci timeout
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
* [n/a] code review comment and extra regression test
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
---------
Signed-off-by: Yolan Romailler <anomalroil@users.noreply.github.com>
The cleanup during import is currently buggy on some scenarios
so as a workaround we'll disable auto-cleanup by default and
introduce `recipients.remove-extra-keys` to allow users to turn
it back on.
See GH-2620
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
This change adds a `core.autopush` configuration option (which defaults
to a value of `true`). This new configuration option is used in
post-write-ish actions, to determine if the remote repository should be
pushed to. In doing this, we support workflows where a user may want to
always push to the remote, but disable the behavior of "sync", which
fetches updates from remotes for all mounts (including the root store).
Closes: gopasspw/gopass#2551
Signed-off-by: sudoforge <9c001b67637a@sudoforge.com>
This will allow to restore the old behaviour where gopass edit would
automatically create a secret if a non-existing name was given.
RELEASE_NOTES=[ENHANCEMENT] Add edit.auto-create
Fixes#2531
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
This PR adds a new attempt at validating recipients files to prevent
malicious actors from updating them and tricking users into sharing
their new and updated secrets with a wider-than-inteded audience.
This includes two new config options (`recipients.hash` and
`recipients.check`) and one new command `gopass recipients ack`
to update the hash after validating it's content.
Fixes#2478
RELEASE_NOTES=[ENHANCEMENT] Add recipients hash checking.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Fixes#2451
RELEASE_NOTES=[ENHANCEMENT] Support german language in the password
generator
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Maintain secret structure when parsing
This commit introduces a new KV secret type ("AKV") that fully maintains
the secret format when parsing. As such it obsoletes the old KV and
Plain formats and the need for the core.parsing option.
Fixes#2431
RELEASE_NOTES=[ENHANCEMENT] Maintain secret structure when parsing
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Update internal/action/edit.go
Co-authored-by: Yolan Romailler <AnomalRoil@users.noreply.github.com>
* Address review comments
This brings back the noparsing flag since we need this to cover some
corners cases.
RELEASE_NOTES=n/a
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Co-authored-by: Yolan Romailler <AnomalRoil@users.noreply.github.com>
This commit adds yet another config handler for gopass. It is based on
the format used by git itself. This has the potential to address a lot
of long standing issues, but it also causes a lot of changes to how we
handle configuration, so bugs are inevitable.
Fixes#1567Fixes#1764Fixes#1819Fixes#1878Fixes#2387Fixes#2418
RELEASE_NOTES=[BREAKING] New config format based on git config.
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Co-authored-by: Yolan Romailler <AnomalRoil@users.noreply.github.com>
address comments
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
* Determine password length from env variable, if set.
With this change, the variable `GOPASS_PW_DEFAULT_LENGTH` can be used to
set a default length for the `generate` cmd.
RELEASE_NOTES=[ENHANCEMENT] Environment variable GOPASS_PW_DEFAULT_LENGTH can be used to overwrite default password length of 24 characters.
Signed-off-by: dotcs <git@dotcs.me>
* Don't ask for password length if env variable is set
Signed-off-by: dotcs <git@dotcs.me>
* Fix PR finding: Don't skip test in short mode
Signed-off-by: dotcs <git@dotcs.me>
* Fix lint issues
Signed-off-by: dotcs <git@dotcs.me>
* Fix lint issue (code complexity) by moving code to separate function
Signed-off-by: dotcs <git@dotcs.me>
* Add env variables for custom clipboard commands
Adds `GOPASS_CLIPBOARD_COPY_CMD` and `GOPASS_CLIPBOARD_CLEAR_CMD`
environment variables which are called instead of the normal
implementation if set. The commands receive the name of the password as
their first parameter and the password or its checksum on `STDIN`.
Resolves#2042.
RELEASE_NOTES=[FEATURE] Add env variables for custom clipboard commands.
Signed-off-by: hashworks <mail@hashworks.net>
* Improve two line test ambiguity
The output might contain the previous value "and". Additionally with the
new values it is now clearer what is tested.
RELEASE_NOTES=[TESTING] Improve two line test ambiguity.
Signed-off-by: hashworks <mail@hashworks.net>
* Use a helper to unset env vars in clipboard tests
RELEASE_NOTES=[TESTING] Use a helper to unset env vars in clipboard tests.
Signed-off-by: hashworks <mail@hashworks.net>
This commit adds filtering to avoid logging credentials in the debug
logs. If logging of credentials, e.g. for debugging secret parsers,
is required GOPASS_DEBUG_LOG_SECRETS can be set to an non empty
string to enable logging of secrets.
Fixes#1883
RELEASE_NOTES=[BUGFIX] Avoid logging credentials
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
This adds a reminder when fsck was not run within the last 90d (or never).
RELEASE_NOTES=[ENHANCEMENT] Remind to run gopass update/fsck/audit after 90d
RELEASE_NOTES=[ENHANCEMENT] Added a env var to disable reminders
Fixes#1602Fixes#1614Fixes#1600Fixes#1594Fixes#1601Fixes#1650
RELEASE_NOTES=[BUGFIX] Disabling all kind of parsing of the input
RELEASE_NOTES=[ENHANCEMENT] Adding the flag show -n to disable output parsing
RELEASE_NOTES=[ENHANCEMENT] Adding the option parsing to disable all parsing
Signed-off-by: Yolan Romailler <yolan@romailler.ch>
* Fix panic in config and cleanup
Fixes#1458Fixes#1459
This is fixing a panic in config that was not catched by the tests, it
augments the tests to catch it and it cleans up the config code that
still had some code from the time where we supported per-mount
configuration. Documentation is updated as well to reflect the change
made in #1391 that is dropping some config options.
It is also adding a test to detect regressions in the ways mount
shadowing works.
RELEASE_NOTES=[BUGFIX] Fix config panic with mounts
Signed-off-by: Yolan Romailler <yolan@romailler.ch>
* Adding a test for the mount shadowing
RELEASE_NOTES=[TESTING] Add a test to detect shadowing issue with mount
Signed-off-by: Yolan Romailler <yolan@romailler.ch>
This commit adds a new debug package to gopass.
It is heavily inspired by github.com/restic/restic/internal/debug
and adapted for the gopass use case.
This change allows to further trim down the source code since the
new package doesn't propagate the debug flag in the context anymore.
As such we can now omit passing ctx in most places.
In order to ensure we don't accidentially keep passing ununsed
parameters we also introduce unparam to check for extra arguments.
RELEASE_NOTES=[ENHANCEMENT] New Debug package
Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
