Document secret snippets

sandro-h · May 7, 2021 · c2f6162 · c2f6162
1 parent 50a12de
commit c2f6162
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 3 deletions.
diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-BASE_VERSION=0.2.0
+BASE_VERSION=0.3.0
 REPO_OWNER=sandro-h
 BUILD_CENTOS_IMAGE_VERSION=0.0.1
 BUILD_CENTOS_IMAGE_TAG=ghcr.io/${REPO_OWNER}/snippet-centos-build:${BUILD_CENTOS_IMAGE_VERSION}

diff --git a/README.md b/README.md
@@ -32,6 +32,23 @@ a new window pops up to fill out the arguments.
 
 See the [snippet_sample.yml](snippet_sample.yml) for configuring a snippet with arguments.
 
+### Secret snippets
+
+**Disclaimer: `snippet` is nowhere close to a proper password manager. Do not use it for important/personal passwords.**
+
+`snippet` can also type secrets, like a passphrase for a store.
+
+* Secret snippets are encrypted with passwords in `snippets.yml`. Encryption uses the same approach as Ansible Vaults.
+* You will be asked to provide the password when using a secret snippet
+* Once you used a secret snippet, you can reuse it without typing the password for a while.
+* If you don't use the secret snippet for a while, it will be locked again and require the password. The duration is configurable, see [config_sample.yml](config_sample.yml).
+
+You can create encrypted secrets using the command-line:
+
+1. Run `./snippet --encrypt`
+2. Enter the secret and a password to encrypt it
+3. Add the encrypted value to `snippets.yml`. See [snippet_sample.yml](snippet_sample.yml).
+
 ## Development
 
 ```shell

diff --git a/config_sample.yml b/config_sample.yml
@@ -11,4 +11,8 @@ special_chars:
     command: shift
   - character: "#"
     key: 3
-    command: gralt
+    command: gralt
+
+# Duration until an unlocked secret snippet is locked again.
+# Duration is in Golang format: https://golang.org/pkg/time/#ParseDuration
+secret_ttl: 10m
diff --git a/snippet_sample.yml b/snippet_sample.yml
@@ -14,4 +14,8 @@ shebang: "#!/usr/bin/bash"
 # does not treat unrelated {...} content as an argument.
 docker bash:
   content: docker exec -ti {container} bash
-  args: [container]
+  args: [container]
+
+# Secret snippet
+keystore passphrase:
+  secret: AES256:MzVjOTYwZTJhNmVjNmFlNTRjM2FiOWM4Y2E3ZDJjZGUzYmZmN2JhZTJkYWFmZmViZjRjMDQ0YTc4ZGViMTY1ZAowOGM4MjQ4ZDE4YWUzNTcxMWM5MzMyMmY2NjNmOGZlNjY1YmNiN2EwOWYxMmE4Mjk5OTI3Y2FmNTA4NTY3Mjg3CmU2YmNiZDRhZGRhZjU3YjIxZTcwOTdiOGY1ZjE4ZTA2