Obnamblog2025 Obnam 3: decrypt credentials using configured secrets
  1. Goal
  2. Plan
  3. Notes
  4. Summary
  5. Comments?

Goal

Last time I implemented command to create a credential chunk using an OpenPGP software key. Today I will change the commands to encrypt and decrypt chunks to get the client key from the credential.

Plan

I'll change in the Leaf trait in src/bin/cmd/mod.rs the provided function client_key to get it from one of the available credentials if not provided directly by the user.

Before I do that I'll change obnam credential list so that it by default only lists credentials the user can open. This is useful in and of it self, but is also a smaller step than going for Leaf::client_key directly. To do the listing, I'll need to add credentials to the configuration file so that list can use them.

Notes

  • Verified that make still passes fine. It does.

Add credentials to configuration file

  • I've previously sketched the following as the way to store an OpenPGP software key in the configuration file:
credentials:
  my-soft-key:
    kind: openpgp-soft
    key: |
      -----BEGIN PGP PRIVATE KEY BLOCK-----
      ...
      -----END PGP PRIVATE KEY BLOCK-----
  • In other words, there's a map for credentials, and map key is the credential name (meaningful only to the user), and for each map value there's a kind field to specify what it is, and then other fields depending on the kind.
  • Other possibility: drop the kind, use unique fields in each credential variant to identify (using serde untagged for enum representation):
credentials:
  my-soft-key:
    openpgp_key: |
      -----BEGIN PGP PRIVATE KEY BLOCK-----
      ...
      -----END PGP PRIVATE KEY BLOCK-----
  • Went with the latter option to avoid having to force users to specify a kind explicitly for every credential. That'd get repetitive fast. The serde parsing will identify the variant correctly if the fields are uniquely named.
  • Had some trouble getting the parsing to work, because I edited obnam::config::Config instead of obnam::config::File, but got it working.
  • Merged to main.

List usable credentials

  • Added option obnam credential list --all to list all credentials. That's going to be useful for troubleshooting.
  • Changed the list command when used without --all to try to open each credential chunk, using the credentials in the configuration file, and only list ones it can.
  • This is ugly code for now, but can to be tidied up later. It will also have to be put into the library portion of obnam to make it convenient to use. Some caching will also help, but that I will add only after it's needed.
  • However, this exposed a fundamental problem: obnam credential openpgp-soft does not add the new credential to the configuration file. In general I'm wary of editing configuration files with code, but if I don't, the user has to add the credential to the configuration file by hand. More urgently, my test scenario needs to do that. Or else I can run list with --all in the scenario, which I'll be doing for now.
  • I ran out of time, so won't tidy up. I won't merge the change as is, I'll continue from here next time.

Summary

My goal today was once again vastly too big, but I did write code to open and decrypt credential chunks. I'll tidy that up next time, before I continue working towards the big goal of today.

Comments?

If you have feedback on this development session, please use the following fediverse thread: https://toot.liw.fi/@liw/115042798070706560.