Trousseau: an encrypted and networked key-value database

[oleiade]

Trousseau is a gpg encrypted key-value store designed to be a simple, safe and relient place for your data. It stores data in a single multi-recipients encrypted file and can supports both local and remote storage sources (S3 and ssh so far) import/export.

Create a trousseau store, specify which gpg recipients are allowed to open and modify it, and adding some key-value pairs to, export it to s3 for example, and re-import it on another device. As simple as that.

Whether you're a devops, a paranoid guy living in a bunker, or the random user who seek a simple way to store it's critical data in safe maneer. Trousseau can do something for you.

[peterwwillis]

  Create a trousseau store, specify which gpg recipients are 
  allowed to open and modify it, and adding some key-value 
  pairs to, export it to s3 for example, and re-import it on 
  another device. As simple as that.

Simple?

[zobzu]

$ export TROUSSEAU_PASSWORD=mysupperdupperpassword

nope.

[oleiade]

You're right.

Two alternatives possible, whether to add a '--password' global option allowing you to provide your password at runtime, or to implement https://github.com/tmc/keyring.

What do you think? Any other alternatives to suggest?

[zobzu]

gpg-agent, keychain, gnome-keyring, kwallet. keyring could be ok. It would be nice if it supported a few more things tho. not everyone's a gnome user for example. but since it's gpg, i would think gpg-agent suffices. most keyrings actually emulate the agent (same for SSH)

proposing the env variable passphrase means a lot of people will put the password <in clear, plain text> in their .zshrc, .bashrc, you name it

[dmix]

Seriously, keyrings/keychains are not that hard to interface with on Linux/OSX.

[thomas-st]

Does anyone know an encrypted database that allows for searches? E.g. implementing an algorithm similar to http://crypto.stanford.edu/~eujin/papers/secureindex/

[oleiade]

The go language regular expressions engine uses the Thompson NFA algorithm. It provides amazing performances.

I was thinking to implement some basic search features to trousseau using it.

Would it fit with your needs?

[alister]

> Trousseau is a gpg encrypted key-value store designed to be a simple, safe and relient place for your data.

Relient? I think he meant "reliant" but even that doesn't sound right. Reliant means "trustful", suggesting that the system trusts you. Maybe he meant "trustworthy". (Or just simply "reliable".)

("relient" is a French word meaning to connect, link, or join, and the author seems to be French. But that observation doesn't seem to help.)

[sshThis]

Yes, I think the author also uses "sensible" in places where "sensitive" might be more appropriate.

[feydaykyn]

I believed too that if you don't give the personn/thing you're being reliant, it meant "trustworthy", maybe it is a French-induced error ?

[Spone]

resilient maybe?

[pkulak]

My first thought was: "Key value store... let's see if it's written in Go..." haha, glad I wasn't disappointed!

[nbody]

It would be interesting to see some performance numbers vs other key-value databases. It would slower but still it would be great to see what impact it has.

[oleiade]

trousseau wasn't built with performance in mind: not at all. The store file is encrypted/decrypted at each operations; at least until I implement some kind of pipeline.

[codegangsta]

This is a good example of clean, well written Go code.

Great job oleiade! This is definitely on my radar.

[unsignedint]

This looks interesting!

But I think it'd be better if DEB repository is signed...

[oleiade]

I've asked bintray to add support for subkeys some weeks ago. No news since then, but they told me they were working on it. Problem right now is that you have to put your master gpg key on bintray to be able to sign: I wouldn't.

As soon as the subkeys are available on bintray, packages from the repo will be signed though :)

[dangayle]

Not to sound ignorant, but what would you use this for?

[cnlwsu]

Theres a list of examples in the readme. I think the devops ideas are interesting.

    Store sensible data: Your brand new shinny infrastructure surely relies on many certificates and private keys of different kinds: ssl, rsa, gpg, ... Trousseau provides a simple and fine-tuned way to store their content in a single file that you can safely version using your favorite cvs. No more plain certificates and keys in your repositories and configuration files.