1Password and encryption

[muffs0ft]

I am trying to use 1Password with encryption without actually saving it to config

[gpg]
symmetric = true
args = [
    "--batch", 
    "--no-symkey-cache", 
    "--passphrase", "${CHEZMOI_PASSWORD:-$(op read --no-newline op://localhost/chezmoi/password)}",
  ]

[onepassword]
prompt = false
mode = "service"

[scriptEnv]
OP_SERVICE_ACCOUNT_TOKEN = "${OP_SERVICE_ACCOUNT_TOKEN:-$(op read --no-newline op://localhost/chezmoi/OP_SERVICE_ACCOUNT_TOKEN)}"

unfortunately this does not work as it's not evaluated, neither for gpg or scriptEnv.

Any way to achieve this?

[muffs0ft]

found some way for the gpg part 😁

[gpg]
args = [
  "--batch",
  "--no-symkey-cache",
  "--pinentry-mode",
  "loopback",
  "--passphrase-fd",
  "0",
]

cze() {
  local pass
  pass=$(op read --no-newline op://localhost/chezmoi/password)
  echo "$pass" | chezmoi encrypt "$@"
}

czd() {
  local pass
  pass=$(op read --no-newline op://localhost/chezmoi/password)
  echo "$pass" | chezmoi decrypt "$@"
}

❯ cze ~/test.txt > test.txt.encr && cat test.txt.encr 
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: test.txt.encr
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ -----BEGIN PGP MESSAGE-----
   2   │ 
   3   │ jA0ECQMCAFShUEgAVSj/0k4BeCwqrqJm8bF8xX71gCt8rQL9GNilzZKZjYWwmahq
   4   │ KlFRf2UxP4o320f6g2mAh/6wU5FIcHGpI2hMndOB70olkPawfgx6HObVEAu63f8=
   5   │ =7CBq
   6   │ -----END PGP MESSAGE-----
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

❯ czd ~/test.txt.encr 2>/dev/null 
1password + gpg

[muffs0ft]

While the above method works fine for CLI usage, it unfortunately didn’t work within templates.
Here is a new approach by using a wrapper for script GPG, which seems to do the trick.

[gpg]
symmetric = true
args = []
command = {{ joinPath .chezmoi.sourceDir "gpg-op.sh" | quote }}

gpg-op.sh

#!/bin/sh
exec gpg --batch --yes --no-symkey-cache --pinentry-mode loopback \
  --passphrase "$(op read --no-newline op://localhost/chezmoi/password)" "$@"

[twpayne]

You can use the decrypt template function to decrypt data in templates.

[muffs0ft]

yes, that was the whole point of my endeavor 😄
making encrypt/decrypt work with 1password without passphrase being written to config or prompted every time.
now all I have to do is approve biometric unlock from 1password 😉
encrypt/decrypt template function do not allow password to be passed or piping password to it

[halostatue]

I'm going to raise a question: why are you trying to do this?

That is, what does GPG encryption with 1Password get you over pulling the files from 1Password directly? onepasswordDocument solves this case with one tool instead of two that don't quite mesh nicely.

[muffs0ft]

• I don’t want a bunch of files stored in 1Password
• Hard(er) to edit or change files

There might be more, but that’s what comes to mind right now 😄

[halostatue]

I get point 1 (not wanting to store a lot of files in 1Password).

I don't agree with point 2. I manage several pieces of configuration data in 1Password (both as data files read and parsed separately and as files which are pasted into a larger file) and the amount of editing I've had to do is minimal — and it's mostly a matter of:

1. op document get <document-reference> -o <document-filename> -f
2. Edit <document-filename>
3. op document edit <document-reference> <document-filename>

This is exactly the same amount of effort as decrypting, editing, and reencrypting a file.

[muffs0ft]

honestly I haven's spent much thought further on this as the first point was my main reason

anyways my workflow now is this:

~/.ssh/config:

...
# START_private_dot_ssh/.config
host xxx
    user yyy
# END_private_dot_ssh/.config
...

write private_dot_ssh/.config.asc

❯ cz block -e ~/.ssh/config       
Processing blocks:
 + private_dot_ssh/.config

private_dot_ssh/private_config.tmpl:

...
# START_private_dot_ssh/.config
{{- join .chezmoi.sourceDir "private_dot_ssh/.config.asc" | include | decrypt -}}
# END_private_dot_ssh/.config
...

❯ lsa private_dot_ssh 
Permissions Size User     Date Modified Name
.rw-r--r--  1.1k xxx 17 Jul 09:39  .config.asc
.rw-r--r--  2.2k xxx 16 Jul 17:15  private_config.tmpl

This allows me to simply change files like I am used automatically push with git (after initial add)

[halostatue]

I'm glad it works for you (seriously).