Hi, It would be nice if we could scope secrets. For example, user-a can decrypt all secrets in the repo, but user-b can only decrypt a specific secret.

Hi there!

This feature kind of exists already.

You can have multiple keychains in the same repo.

export BLACKBOXDATA='.blackbox/teamA'
blackbox_init ...
# do things as teamA

export BLACKBOXDATA='.blackbox/teamB'
blackbox_init ...
# do things as teamB

There's no hierarchy of control, but it works fine if you have 2-3 small teams. (and as I try to emphasize: BB was created for small teams and a small number of files. It is just a wrapper around "gpg --decrypt" and not much more.)

Tom

Ay, I was thinking about something like this. I didn't know about BLACKBOXDATA, that's for sure useful. Thank you.

The downside I see with this is that you cant have a user that can decrypt all secrets without providing different data locations. For example some CI/CD tool should be able to decrypt all of them. We could give it all the keyes but it would be still difficult to know what key to use for what encrypted file.

Yes, you would have to loop through all the keychains and decrypt the files associated with each.

Quoting from the README: "WARNING: The goal of this project is to be a simple wrapper around gpg so you and your coworkers don't have to remember its all those inscrutable and confusing flags. It is not intended to be a sophisticated encryption system that solves all problems or supports a large numbers of files. The ideal use-case is to keep secrets in a secure service such as Conjur, AWS KMS, Azure Key Vault or GCP KMS; then use Blackbox for safely storing the API keys needed to access that system. That way you are encrypting one tiny file."

I highly recommend https://www.agwa.name/projects/git-crypt/ if you need more sophisticated features.

I will take a look. Thanks for the suggestion.