Obnamblog2025 Obnam 3: start on credential subcommands
  1. Goal
  2. Plan
  3. Notes
  4. Summary
  5. Comments?

Goal

Today I will continue on implementing credentials. I have the core functionality implemented, but in a library, which is not useful to users. Today I will add the minimal needed to manage credential chunks on the command line.

Plan

  • Implement obnam credential openppp-soft to create a new OpenPGP software key credential.
  • Implement obnam credential list to list all credentials in the backup repository.
  • Implement obnam credential show ID to decrypt a given credential chunk.
  • For all of these, look up the private OpenPGP key in the configuration file.

Notes

Add private OpenPGP key to configuration file

  • My first idea for storing the private key in the configuration file is this:
  credentials:
    my-soft-key:
      kind: openpgp-soft
      key: |
        -----BEGIN PGP PRIVATE KEY BLOCK-----
        ...
        -----END PGP PRIVATE KEY BLOCK-----
  • The idea is that the configuration file specifies any number of secrets for credentials, with a name. obnam will try all of them to open a credential.
  • This immediately became tricky, as I'll need to figure out how to de-serialize an obnam::sop::OpenPgpKey from YAML.
  • Ah, no, that was actually easy. Instead of using obnam::sop::OpenPgpKey as the value of a variant for the credentials secrets list, I'll define a struct variant:
  OpenPgpSoft { key: String },
  • This allows me to use this in the configuration file:
credentials:
  softy: !OpenPgpSoft
    key: |
      -----BEGIN PGP PRIVATE KEY BLOCK-----

      xVgEaHx17xYJKwYBBAHaRw8BAQdAC63UCzds2ShvV3awGTG9ZzrgcXinK1Twz9wN
      YPEw454AAP9zHt7AWQA/02hQYf5GkArDiCGi2edabpJOEMCZT5OXEw/7zRFhbGlj
      ZUBleGFtcGxlLmNvbcKaBBAWCABCBQJofHXvFiEEO6UOK22nHT4D7dMX80ufoVP7
      ftACGwMCHgEECwkIBwYVDgoJDAgBFg0nCQIIAgcCCQEIAQcBAhkBAAoJEPNLn6FT
      +37QN+8BAOQ6SdqeUAVv4myor/8Mh3n66QMiqSh0hkivtPPEB3TmAP9otQ4XLbUo
      aqggL6bXh0044iWRka/T1zw8s5cFWGyzDsddBGh8de8SCisGAQQBl1UBBQEBB0B1
      gH3V7jcoGX6TwxCnCFixaOziIW/shMDPEKNjW1F2KgMBCAcAAP9oQLDyHZ6+hwLI
      tHOzN2c9rdL3KlPfWd2uhCPSEnQdUBDqwngEGBYIACAFAmh8de8CGwwWIQQ7pQ4r
      bacdPgPt0xfzS5+hU/t+0AAKCRDzS5+hU/t+0KPhAQCvrBcJMhDRT4rgfpdNF5Ls
      lmPAH6lFvqbEmaW/8ISBVAEAlzcOZEUnpMhNqVU85e3Z54rvuTURBCxZ1yrhBcKN
      8AQ=
      =5B0p
      -----END PGP PRIVATE KEY BLOCK-----
  • The !OpenPgpKey bit of YAML magic is unfortunate, but I can live with it for now.
  • The obnam config output is now useless, because the key is stored as bytes, not as a string, and the JSON output is now a large array of small integers. Hmm.
  • Changed OpenPgpKey to contain a string. Also OpenPgpCert.

obnam credential openpgp-soft

  • The command to create an OpenPGP software key credential:
  obnam crednetial openpgp-soft NAME
  • This read the credential secret from the configuration file, generates a client key, and creates the credential chunk with the client key encrypted with the credential secret.
  • This isn't useful, if one wants to add a new credential for an existing client key, of course, but one step at a time.
  • Implemented the subcommand to create a credential and one to decrypt it and show the client key.
  • Meanwhile, realized that I can't store a credential chunk in the chunk store, since it's type incompatible with data chunks. Need to think about this.

Meh

  • I'm running out of time, and I don't want to go over my time budget today. It's too warm to concentrate, anyway. Not merging what I have, will continue next time from where I'm leaving off today.

Summary

Made some progress, but not enough to merge what I've done. Not really happy about that, but I don't want to try to rust things, and I don't want to spend too much time on this per sitting.

Comments?

If you have feedback on this development session, please use the following fediverse thread: https://toot.liw.fi/@liw/114884414581710216.