archive-gh-me/gopass
1
0
Fork 0
mirror of https://github.com/gopasspw/gopass.git synced 2025-12-08 19:24:54 +00:00
Code Issues Projects Releases Wiki Activity
gopass/docs/backends.md
google-labs-jules[bot] 882d06e001
feat: Add cryptfs storage backend for filename encryption (#3249) 
* feat: Add cryptfs storage backend for filename encryption

This commit introduces a new storage backend called `cryptfs`. This backend encrypts the filenames of secrets to enhance privacy while maintaining compatibility with existing VCS backends like Git.

Key features:
- For each secret, a cryptographically secure hash (SHA-256) of its name is generated and used as the filename for the underlying storage.
- A mapping from the original secret name to the hashed filename is maintained in an encrypted file (`.gopass-mapping.age`) within the repository.
- The mapping file is encrypted using the `age` encryption backend, with recipients read from the store's `.age-recipients` file.
- The `cryptfs` backend is implemented as a wrapper around any existing storage backend (e.g., `gitfs`, `fs`), which can be configured by the user.
- The backend is registered with gopass and can be enabled by setting `storage: cryptfs` in the store's configuration.

This implementation addresses issue #2634.

* [fix] Fix lint errors

Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>

* [chore] Fix the remaining tests and add some docs.

Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>

---------

Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
Co-authored-by: Dominik Schulz <dominik.schulz@gauner.org>
2025-09-24 08:47:09 +02:00

1.8 KiB
Raw Permalink Blame History

Backends

gopass supports pluggable backends for Storage and Revision Control System (storage) and Encryption (crypto).

As of today, the names and responsibilities of these backends are still unstable and will probably change.

By providing suitable backends, gopass can use different kinds of encryption or storage. For example, it is pretty straightforward to add mercurial or bazaar as an SCM backend.

All backends are in their own packages below backend/. They need to implement the interfaces defined in the backend package and have their identification added to the context handlers in the same package.

Storage and RCS Backends (storage)

  • fs - Filesystem storage without RCS support
  • gitfs - Filesystem storage with Git RCS
  • fossilfs - Filesystem storage with Fossil RCS. Highly experimental, likely broken. Use only if you want to contributed to the backend.
  • jjfs - Filesystem storage with JJ RCS. Highly experimental, likely broken. Use only if you want to contributed to the backend.
  • cryptfs - Fully encrypted filesystem storage. Highly experimental, likely broken. Use only if you want to contributed to the backend.

Crypto Backends (crypto)

  • gpgcli - depends on a working gpg installation
  • plain - A no-op backend used for testing. WARNING: DOES NOT ENCRYPT!
  • age - This backend is based on age. It adds an encrypted keyring on top (using age in scrypt password mode). It also has (largely untested) support for specifying recipients as github users. This will use their ssh public keys for age encryption. This backend might very well become the new default backend.