Crates.io | trespass |
lib.rs | trespass |
version | 0.2.0 |
source | src |
created_at | 2024-09-18 10:19:00.744979 |
updated_at | 2024-11-13 12:22:40.050711 |
description | A pass-like secret manager for teams driven by age encryption and SSH keys. |
homepage | https://gitlab.com/haggl/trespass |
repository | https://gitlab.com/haggl/trespass |
max_upload_size | |
id | 1379045 |
size | 163,209 |
team-ready enhanced substitute for pass
A pass-like secret manager for teams driven by age encryption and SSH keys. Because gopass is painful, passage lacks support for multiple users and the author wanted a real-world-problem to solve for learning to code in Rust.
Warning: This project is very much work-in-progress! Expect crashes, weird behavior and upcoming breaking changes.
Help and/or input from experienced Rust programmers is more than welcome, as this is my first humble attempt at writing Rust.
Just download the latest binary to a directory in your shell's search path and make it executable:
latest=$(wget -O- https://gitlab.com/api/v4/projects/58927383/repository/tags | jq -r '.[0].name')
sudo wget -O /usr/local/bin/trespass https://gitlab.com/api/v4/projects/58927383/packages/generic/trespass/$latest/trespass-linux-amd64-$latest
sudo chmod +x /usr/local/bin/trespass
To install trespass from source run
cargo install --path .
and add $HOME/.cargo/bin
to your $PATH
.
trespass comes with a built-in generator for shell completion rules. Here is an example how you could set it up for bash:
trespass completion bash > $HOME/.local/share/bash-completion/completions/trespass
Execute trespass completion --help
for a list of available generators.
If you want systemd to launch trespass daemon
automatically, set up a user
service and a user socket:
mkdir -p $HOME/.config/systemd/user
cat <<__EOF__ >$HOME/.config/systemd/user/trespass.service
[Unit]
Description=trespass daemon
[Service]
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=%h/.cargo/bin/trespass daemon
Restart=on-failure
__EOF__
cat <<__EOF__ >$HOME/.config/systemd/user/trespass.socket
[Unit]
Description=Socket for trespass daemon
[Socket]
ListenStream=%t/trespass.sock
[Install]
WantedBy=sockets.target
__EOF__
systemctl --user daemon-reload
systemctl --user enable --now trespass.socket
Note the SSH_AUTH_SOCK
environment variable. ssh-agent
must be run
accordingly, as is done by the ssh-agent.service
, so if not done already:
systemctl --user enable ssh-agent.service
echo 'export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/ssh-agent.socket' >> ~/.zshrc
You must also configure the pinentry
flavor, because the default
pinentry
script chooses a CLI flavor which obviously won't work:
mkdir -p $HOME/.config/trespass
cat <<__EOF__ >$HOME/.config/trespass/config.toml
pinentry_program = "pinentry-gnome3"
__EOF__
trespass
reads configuration values from
$HOME/.config/trespass/config.toml
. The following options are available:
name | type | description | default |
---|---|---|---|
clip_timeout |
u64 | Clipboard timeout in seconds | 30 |
hist_path |
string | Interactive history path | $XDG_DATA_DIR/trespass/history |
notification_timeout |
u32 | Notification timeout in seconds | 4 |
pinentry_program |
string | Pinentry program | pinentry |
repo_path |
string | Secret repository path | $XDG_DATA_DIR/trespass/repository |
socket_path |
string | Unix domain socket path | $XDG_RUNTIME_DIR/trespass.sock |
ssh_path |
string | SSH pubkey directory path | $HOME/.ssh |
The first thing you need is a secret storage repository. There are two ways to get one:
trespass repository init $(~/.ssh/id_ed25519.pub)
trespass repository clone git@gitlab.com:its-a-me/trespass-store.git
You can add repositories with shared passwords as substores:
trespass repository add a-team git@gitlab.com:a-team/trespass-store.git
Secrets in this substore will be prefixed with a-team/
. All secret- and
recipient operations in substores work exactly the same as in the root store.
Here are some inspirational shell snippets in case you want to import secrets from another password manager:
Import all secrets, excluding a particular substore:
for item in $(gopass list --flat | grep -v '^your_substore'); do
echo $item
trespass --standalone secret add $item -- "$(gopass show $item)"
done
Import all secrets from a substore:
for secret in $(gopass list --flat --strip-prefix coop); do
echo $secret
trespass --standalone secret add $secret -- "$(gopass show coop/$secret)"
done
You can store metadata for secrets. Everything after the first line is parsed as metadata in TOML format. The following secret metadata fields are supported:
comment
location
username
A secret with metadata looks like this:
Xup3r$3cre7
comment: '''This is a very bad password'''
location: 'https://bad.example.pw'
username: 'its-a-me'
See trespass secret clip --help
for more information on how to clip metadata.
From YAML:
for secret in $(trespass secret list); do
trespass --standalone secret add $secret "$(trespass secret show $secret \
| sed "s/url:/location:/; s/\(.*\): \(.*\)/\1 = '''\2'''/")"
done