[#14] Document creation of secrets through CLI / script

Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2020-01-29 15:29:08 +01:00
parent 3717a4039f
commit 28a08e9f65
No known key found for this signature in database
GPG Key ID: DC2729FDD34BE99E
2 changed files with 82 additions and 0 deletions

View File

@ -27,6 +27,52 @@ For a better setup you can choose the backend which is used to store the secrets
- `REDIS_KEY` - Key prefix to store the keys under (Default `io.luzifer.ots`) - `REDIS_KEY` - Key prefix to store the keys under (Default `io.luzifer.ots`)
- `SECRET_EXPIRY` - Expiry of the keys in seconds (Default `0` = no expiry) - `SECRET_EXPIRY` - Expiry of the keys in seconds (Default `0` = no expiry)
## Creating secrets through CLI / scripts
As `ots` is designed to never let the server know the secret you are sharing you should not just send the plain secret to it though it is possible.
### Sharing an encrypted secret (strongly recommended!)
This is slightly more complex as you first need to encrypt your secret before sending it to the API but in this case you can be sure the server will in no case be able to access the secret. Especially if you are using ots.fyi (my public hosted instance) you should not trust me with your secret but use an encrypted secret:
```console
# echo "my password" | openssl aes-256-cbc -base64 -pass pass:mypass -md md5
U2FsdGVkX18wJtHr6YpTe8QrvMUUdaLZ+JMBNi1OvOQ=
# curl -X POST -H 'content-type: application/json' -i -s -d '{"secret": "U2FsdGVkX18wJtHr6YpTe8QrvMUUdaLZ+JMBNi1OvOQ="}' https://ots.fyi/api/create
HTTP/2 201
server: nginx
date: Wed, 29 Jan 2020 14:08:54 GMT
content-type: application/json
content-length: 68
cache-control: no-cache
{"secret_id":"5e0065ee-5734-4548-9fd3-bb0bcd4c899d","success":true}
```
You will now need to supply the web application with the password in addition to the ID of the secret: `https://ots.fyi/#5e0065ee-5734-4548-9fd3-bb0bcd4c899d|mypass`
In this case due to how browsers are handling hashes in URLs (the part after the `#`) the only URL the server gets to know is `https://ots.fyi/` which loads the frontend. Afterwards the Javascript executed in the browser fetches the encrypted secret at the given ID and decrypts it with the given password (in this case `mypass`). I will not be able to tell the content of your secret and just see the AES 256bit encrypted content.
You can find a script [`cli_create.sh`](cli_create.sh) in this repo demonstrating the creation of the secret with all steps.
### Sharing the plain secret
```console
# curl -X POST -H 'content-type: application/json' -i -s -d '{"secret": "my password"}' https://ots.fyi/api/create
HTTP/2 201
server: nginx
date: Wed, 29 Jan 2020 14:02:42 GMT
content-type: application/json
content-length: 68
cache-control: no-cache
{"secret_id":"1cb08e53-46b9-4f21-bbd9-f1eea1594ad9","success":true}
```
You can then use the URL `https://ots.fyi/#1cb08e53-46b9-4f21-bbd9-f1eea1594ad9` to access the secret.
## Localize to your own language ## Localize to your own language
If you want to help translating the application to your own language please download the [`en.json`](https://github.com/Luzifer/ots/blob/master/src/langs/en.json) file from this repository and translate the strings inside. Afterwards please [open an issue](https://github.com/Luzifer/ots/issues/new) and attach your translation including the information which language you translated the strings into. If you want to help translating the application to your own language please download the [`en.json`](https://github.com/Luzifer/ots/blob/master/src/langs/en.json) file from this repository and translate the strings inside. Afterwards please [open an issue](https://github.com/Luzifer/ots/issues/new) and attach your translation including the information which language you translated the strings into.

36
cli_create.sh Normal file
View File

@ -0,0 +1,36 @@
#!/bin/bash
set -euo pipefail
deps=(curl jq)
for cmd in "${deps[@]}"; do
which ${cmd} >/dev/null || {
echo "'${cmd}' util is required for this script"
exit 1
}
done
# Get secret from CLI argument
SECRET=${1:-}
[[ -n $SECRET ]] || {
echo "Usage: $0 'secret to share'"
exit 1
}
# Generate a random 8 character password
pass=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 8 || true)
# Encrypt the secret
ciphertext=$(echo "${SECRET}" | openssl aes-256-cbc -base64 -pass "pass:${pass}" -md md5 2>/dev/null)
# Create a secret and extract the secret ID
id=$(
curl -sSf \
-X POST \
-H 'content-type: application/json' \
-d "$(jq --arg secret "${ciphertext}" -cn '{"secret": $secret}')" \
https://ots.fyi/api/create |
jq -r '.secret_id'
)
# Display URL to user
echo -e "Secret is now available at:\nhttps://ots.fyi/#${id}%7C${pass}"