Is there any way to hide the password manager?

[rafaelpirolla]

I would like to get some parts of some configuration files using the password manager integration like:

export CF_API_TOKEN='{{ onepasswordRead "op://Personal/cloudlfare-api-token/password" }}'

Would there be any way, internally to chezmoi, to do it like:

export CF_API_TOKEN='{{ includeTemplate "cloudflare.enc" | decrypt }}'

Where cloudflare.enc would then be an encrypted template (probably in .chezmoitemplates):

{{ onepasswordRead "op://Personal/cloudlfare-api-token/password" }}

I'm thinking about using sops with some hook scripts at this point.

[halostatue]

What's your threat model where you think that this is necessary?

If you don't want to reveal that it's in your Personal vault and that the token is called cloudflare-api-token, then enable 1Password dev mode and use the UUIDs.

There is no way of which I’m aware to do what you want, which is more accurately described as

export CF_API_TOKEN='{{ includeTemplate "cloudflare.enc" | decrypt | eval }}'

[rafaelpirolla]

Thanks for the reply, Mr. Ziegler. It's more like a buzz in the ear than anything. Something in the way of – e.g. why tell everyone I have this secret at this entry in gopass; or that my key to this API is in an AWS Secret Manager entry? In a targeted attack it's one more information to be exploited.

If there was an easy way to evaluate templates after decryption when including them; it would be nice. Since you're saying it's hard I will go forth to implement it another way. :)

[twpayne]

As @halostatue says, it's not clear what security benefit this provides. If people know that you use SSH and HTTPS, is that a security risk?

You can encrypt entire templates and chezmoi edit will transparently decrypt and re-encrypt them for you for easy editing. This will conceal which password manager you're using.

[rafaelpirolla]

Just started to do this, thanks! I really fell in love with chezmoi, great piece of software.