Rook, a secret service backed by Keepass 4.x kdbx
Rook, a secret service backed by Keepass 4.x kdbx
Howdy Lemmy,
I'm announcing Rook v0.0.9, software that provides a secret service a-la secret-tool, keyring, or pass/gopass, except backed by a Keepass 4.x kdbx file.
The problem Rook solves is mainly in script automation, where you have aerc, offlineimap, isync, vdirsyncer, msmtp, restic, or any other cron jobs that need passwords and which are often configured to fetch these passwords from a secret service with a CLI tool. Unlike existing solutions, Rook is headless and does not have a bespoke secrets database, full of passwords that must be manually synchronized with Keepass; instead, it uses a Keepass db directly.
While the readme goes into more detail, I will say the motivation for Rook evolved from a desire to use a Keepass db in a GUI-less environment and finding no existing solutions. KeepassXC provides a secret service, but is not headless; it also provides a CLI tool, but this requires the db credentials on every call. kpmenu exists, but is designed specifically to require human interaction and is unsuitable for cron environment scripting. Every other solution maintains its own DB back end, incompatible with Keepass.
Rook also benefits from minimal external dependencies, and at 1kloc is auditable by developers - I believe even by ones who do not know Go (the language of implementation). Being able to verify for yourself that there's no malicious code is a critical trait for a tool with which you're trusting secrets.
Rook is fit for purpose, and signed binaries are provided as well as build-from-source instructions (for auditors).
The project contains work in progress: credentials are limited to simple password-locked kdbx, and so doesn't yet support key files. Bash scripts that provide autotyping and attribute/secret selection via rofi, fzf, and xdotool are provided, for GUI environments; these have known bugs. Rook has not been tested on BSD, Darwin, or any other system than Linux, but may well work; the main sticking point is the use of a local file socket for client/server communication, so POSIX systems should be fine, but still, YMMV.
As a final caveat: up until v0.0.9 I've been compressing with brotli, which is very nice yet somewhat obscure. With the next release, everything will be gzipped. Also included in the next release will be packages for various distributions.
This looks interesting! I haven't had a chance to try it yet, but I've got a couple of questions:
- Is the password in
ROOK_PASSWORDstored in plain text? - When the database is unlocked by rook, can KeepassXC still be used to save entries to the same file?
Thanks!
- Yes. And no. The one external dependency Rook uses is tobischo's gokeepasslib to manage all things related to Keepass, and that doesn't store the password in plain text. Neither does Rook, intentionally, but there was a flag that was holding onto it; now that you've pointed it out, I've changed that. It's in v0.1.0, which I'll push in a sec. This isn't an issue in v0.0.9 if you use the
openclient command, because the password is used in a local variable and not in the flags lib, and exits scope immediately after the DB is opened. - Yes. Every time Rook accesses the DB, it checks the timestamp and if the file has changed, it reloads the the db.
However: if you're concerned about memory dumps by bad actors, do not use Rook. Do not use any secret service tool; do not use KeepassXC. All of these are susceptible to attacks by any account that can do memory dumps; but memory dumps are probably the least of your concerns if root is compromised.
I discuss this in the Security section of the readme.
- Yes. And no. The one external dependency Rook uses is tobischo's gokeepasslib to manage all things related to Keepass, and that doesn't store the password in plain text. Neither does Rook, intentionally, but there was a flag that was holding onto it; now that you've pointed it out, I've changed that. It's in v0.1.0, which I'll push in a sec. This isn't an issue in v0.0.9 if you use the
- Is the password in