2 releases
| new 0.1.3 | Oct 14, 2024 |
|---|---|
| 0.1.0 | Sep 18, 2024 |
#240 in Command line utilities
305 downloads per month
52KB
1K
SLoC
trespass
team-ready enhanced substitute for pass
A pass-like secret manager for teams driven by age encryption and SSH keys. Because gopass is painful, passage lacks support for multiple users and the author wanted a real-world-problem to solve for learning to code in Rust.
Warning: This project is very much work-in-progress! Expect crashes, weird behavior and upcoming breaking changes.
Help and/or input from experienced Rust programmers is more than welcome, as this is my first humble attempt at writing Rust.
Installation
Binary
Just download the latest binary to a directory in your shell's search path and make it executable:
latest=$(wget -O- https://gitlab.com/api/v4/projects/58927383/repository/tags | jq -r '.[0].name')
sudo wget -O /usr/local/bin/trespass https://gitlab.com/api/v4/projects/58927383/packages/generic/trespass/$latest/trespass-linux-amd64-$latest
sudo chmod +x /usr/local/bin/trespass
From source
To install trespass from source run
cargo install --path .
and add $HOME/.cargo/bin to your $PATH.
Shell completions
trespass comes with a built-in generator for shell completion rules. Here is an example how you could set it up for bash:
trespass completion bash > $HOME/.local/share/bash-completion/completions/trespass
Execute trespass completion --help for a list of available generators.
Daemon auto-launch
If you want systemd to launch trespass daemon automatically, set up a user
service and a user socket:
mkdir -p $HOME/.config/systemd/user
cat <<__EOF__ >$HOME/.config/systemd/user/trespass.service
[Unit]
Description=trespass daemon
[Service]
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=%h/.cargo/bin/trespass daemon
Restart=on-failure
__EOF__
cat <<__EOF__ >$HOME/.config/systemd/user/trespass.socket
[Unit]
Description=Socket for trespass daemon
[Socket]
ListenStream=%t/trespass.sock
[Install]
WantedBy=sockets.target
__EOF__
systemctl --user daemon-reload
systemctl --user enable --now trespass.socket
Note the SSH_AUTH_SOCK environment variable. ssh-agent must be run
accordingly, as is done by the ssh-agent.service, so if not done already:
systemctl --user enable ssh-agent.service
echo 'export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/ssh-agent.socket' >> ~/.zshrc
You must also configure the pinentry flavor, because the default
pinentry script chooses a CLI flavor which obviously won't work:
mkdir -p $HOME/.config/trespass
cat <<__EOF__ >$HOME/.config/trespass/config.toml
pinentry_program = "pinentry-gnome3"
__EOF__
Configuration
trespass reads configuration values from
$HOME/.config/trespass/config.toml. The following options are available:
| name | type | description | default |
|---|---|---|---|
clip_timeout |
u64 | Clipboard timeout in seconds | 30 |
hist_path |
string | Interactive history path | $XDG_DATA_DIR/trespass/history |
notification_timeout |
u32 | Notification timeout in seconds | 4 |
pinentry_program |
string | Pinentry program | pinentry |
repo_path |
string | Secret repository path | $XDG_DATA_DIR/trespass/repository |
socket_path |
string | Unix domain socket path | $XDG_RUNTIME_DIR/trespass.sock |
ssh_path |
string | SSH pubkey directory path | $HOME/.ssh |
Getting started
Initialization
The first thing you need is a secret storage repository. There are two ways to get one:
Create an empty repository
trespass repository init $(~/.ssh/id_ed25519.pub)
Clone an existing repository
trespass repository clone git@gitlab.com:its-a-me/trespass-store.git
Substores
You can add repositories with shared passwords as substores:
trespass repository add a-team git@gitlab.com:a-team/trespass-store.git
Secrets in this substore will be prefixed with a-team/. All secret- and
recipient operations in substores work exactly the same as in the root store.
Migration from other password managers
Here are some inspirational shell snippets in case you want to import secrets from another password manager:
gopass
Import all secrets, excluding a particular substore:
for item in $(gopass list --flat | grep -v '^your_substore'); do
echo $item
trespass --standalone secret add $item -- "$(gopass show $item)"
done
Import all secrets from a substore:
for secret in $(gopass list --flat --strip-prefix coop); do
echo $secret
trespass --standalone secret add $secret -- "$(gopass show coop/$secret)"
done
Metadata
You can store metadata for secrets. Everything after the first line is parsed as metadata in TOML format. The following secret metadata fields are supported:
commentlocationusername
A secret with metadata looks like this:
Xup3r$3cre7
comment: '''This is a very bad password'''
location: 'https://bad.example.pw'
username: 'its-a-me'
See trespass secret clip --help for more information on how to clip metadata.
Converting metadata
From YAML:
for secret in $(trespass secret list); do
trespass --standalone secret add $secret "$(trespass secret show $secret \
| sed "s/url:/location:/; s/\(.*\): \(.*\)/\1 = '''\2'''/")"
done
Dependencies
~37–70MB
~1M SLoC