Glint Vault for Secure Configuration Management

[johnnyfreeman]

This PR introduces a comprehensive Vault system to Glint, enabling users to securely manage sensitive configuration files (e.g., environment files, secrets) through encryption and decryption workflows. The Vault functionality is designed to support compliance efforts, prevent accidental data exposure, and simplify workflows for managing secure data.

New Commands

1. glint vault create

   • Creates a new, empty encrypted vault file.
   • Prompts for a password during creation.
   • Example usage:
     • glint vault create --output secrets.toml.encrypted

2. glint vault encrypt <file>

   • Encrypts an existing plain-text file into an encrypted vault file.
   • Options:
     • --delete: Deletes the original unencrypted file after encryption (with confirmation).
     • --output <file>: Specify the name of the encrypted file.
   • Example usage:
     • glint vault encrypt config.toml --delete

3. glint vault decrypt <file>

   • Decrypts an encrypted vault file for viewing or editing.
   • Options:
     • --output <file>: Specify the name of the decrypted file.
     • --temp: Decrypts to a temporary file for immediate use (auto-deletes after).
   • Example usage:
     • glint vault decrypt secrets.toml.encrypted --temp

4. glint vault edit <file>

   • Securely edits an encrypted file using the user’s preferred editor.
   • Workflow:
     • Decrypts content in memory.
     • Pipes decrypted content to the editor specified by the EDITOR or VISUAL environment variable.
     • Captures edited content, re-encrypts it, and saves the file.
   • Options:
     • --editor <editor>: Specify a custom editor (e.g., vim, nano).
     • --backup: Creates a backup of the original encrypted file before editing.
   • Example usage:
     • glint vault edit secrets.toml.encrypted --editor vim

5. glint vault rotate <file>

   • Changes the password for an encrypted file.
   • Prompts for the current password and a new password.
   • Example usage:
     • glint vault rotate secrets.toml.encrypted

6. glint vault list

   • Lists all .encrypted files in the current directory or a specified path.
   • Example usage:
     • glint vault list --path /configs

7. glint vault view <file>

   • Securely displays the decrypted contents of an encrypted file directly in the terminal (no files are written to disk).
   • Example usage:
     • glint vault view secrets.toml.encrypted

Features

Encryption/Decryption:
- Uses AES-256 encryption for robust security.
- Decrypts files entirely in memory to prevent accidental exposure.

Editor Integration:
- Supports external editors via EDITOR or VISUAL environment variables.
- Defaults to nano if no editor is specified.

Compliance-Friendly:
- No temporary files are written to disk (except when explicitly requested).
- Secure workflows for managing sensitive data.

Flexible Options:
- Optional --delete and --backup flags for streamlined file management.
- Customizable output file locations and names.

Example Workflows

Encrypt a Configuration File:

glint vault encrypt config.toml --delete

Edit an Encrypted File:

glint vault edit secrets.toml.encrypted

Rotate the Password for a File:

glint vault rotate secrets.toml.encrypted

List All Encrypted Files:

glint vault list

Securely View a File's Content:

glint vault view secrets.toml.encrypted

Future Enhancements

• Add support for additional encryption algorithms.
• Introduce environment-aware encryption (e.g., per-environment vaults).
• Provide integration with external secrets management systems (e.g., AWS Secrets Manager, HashiCorp Vault).

This new Vault functionality enhances Glint’s capabilities, offering users a secure, user-friendly way to manage sensitive data while adhering to best practices for compliance and security.