What exactly are you trying to do?

I just started using chezmoi and am setting it up on an existing machine and at the same machine that I'm currently setting up to transfer my configuration.

Templates and the password manager integration seemed like a great feature to manage some secrets including my private ssh key and a few tokens in config files (e.g. {{ keepassxcAttribute "ssh key" "private-key" }} for the private key file).

However, after setting up Keepass integration and using it in a template, I now have to type in my keepass database password on pretty much every chezmoi operation (diff, update, merge, etc). This is very cumbersome not a great user experience. In particular it was intended mostly just a convenience for what is in many cases a one-time transfer of credentials (for example, the private key doesn't change often).

Similar to #3747 I would like a way to skip updating / diffing templates that use password manager integration. Ideally by default, such that I can manually add a flag to include them when I know some credentials changed.

More sophisticated solutions would be some automatic check to see, for example, if the template has changed, and in that case still execute the template expansion and prompt for the password (of course that would not be perfect, since chezmoi won't be able to tell if the secret from the password manager has changed).

What would also help is if the credential were cached for some period of time. In particular for KeepassXC, it would be a nice user experience if the integration would not prompt for the password at all, but instead used the state of the running KeepassXC application and the database being unlocked there. This unlock period can be configured in KeepassXC, and one can also use "quick unlock", for example with the finger scanner, just like it works when manually using KeeepassXC.

What have you tried so far?

chezmoi update -x templates works, but it skips ALL templates, not just those that rely on password manager input.

Also, it's not "default on", meaning in most cases I need to type quite a bit more for every chezmoi operation to add -x templates.

Where else have you checked for solutions?

• I have read chezmoi's user guide, and not found the answer.
• I have searched chezmoi's reference guide, and not found the answer.
• I have searched the web and found things like #3747, but no solution.

Oh, maybe it would also be ok for a user experience if there was an option to mark files tracked by chezmoi as "to be skipped by default", such that all operations ignore these files, unless you provide an additional flag, which then makes chezmoi run with all known files.

Oh, maybe it would also be ok for a user experience if there was an option to mark files tracked by chezmoi as "to be skipped by default", such that all operations ignore these files, unless you provide an additional flag, which then makes chezmoi run with all known files.

I found a way to make this sort of work: Add all files I want to skip by default to .chezmoiignore and locally modify the ignore file when I want to run all templates. It's not great UX, but it gets the job done.

Because it would require static analysis that is far beyond the scope of chezmoi, this isn’t going to be implemented. Deliberately low-tech password managers like keepassxc or pass are always going to have this sort of problem where they cannot cache credentials. Bitwarden (with bw) has a persistent environment variable token that can be set, Bitwarden (with rbw) has a session daemon that invalidates the session after a period (by default one hour) of non-use, and 1Password has the environment variable token (for non-biometric authentication) with per-PTY session authentication and/or biometric authentication with per-PTY session authentication.

See also #3687

In #3657, I suggest something like your "local" modification, but automated through environment variables in your .chezmoiignore:

{{ if not (env "APPLY_ENCRYPTED") }}
file-to-skip-1
file-to-skip-2
…
{{ end }}

You would see the difference by doing chezmoi execute-template < .chezmoiignore and APPLY_ENCRYPTED=1 chezmoi execute-template < .chezmoiignore.

@twpayne I think that this question has come up frequently enough that we should probably have something in the FAQ. My recommendation is always to use a better password manager that understands sessions, but pointing people to the env-test-in-chezmoiignore is going to be easier for people who don't want to do that.

A more specific instance of this suggestion (for use with BW_SESSION for BitWarden, specifically) is found in #3202 (reply in thread).

Thank you very much for your prompt, thorough and informative reply!

In #3657, I suggest something like your "local" modification, but automated through environment variables in your .chezmoiignore:

This sounds like it get's me very close to what I had in mind with the "manually mark files to ignore by default". Switching by setting a environment variable is almost as simple as adding flag to the command. I think I'll use this approach for now. Thanks!

Deliberately low-tech password managers like keepassxc or pass are always going to have this sort of problem where they cannot cache credentials.

Yeah, that's true. It looks like keepassxc-cli is intentionally a stand-alone, stateless interface to read the database. It would be neat if there was a cli tool from KeepassXC that would use the Application state and access credentials when the database is unlocked anyway. A bit like the browser integration. But I'm not sure it exists. A quick search showed some discussions where people wanted this, but sounded like it didn't exist yet...

Deliberately low-tech password managers like keepassxc or pass are always going to have this sort of problem where they cannot cache credentials.

Yeah, that's true. It looks like keepassxc-cli is intentionally a stand-alone, stateless interface to read the database. It would be neat if there was a cli tool from KeepassXC that would use the Application state and access credentials when the database is unlocked anyway. A bit like the browser integration. But I'm not sure it exists. A quick search showed some discussions where people wanted this, but sounded like it didn't exist yet...

It's worth noting that chezmoi now supports keepassxc.mode = "open" (since #3443) which uses a shell-like interface while keeping keepassxc-cli open during the duration of an execution and not have to call keepassxc-cli multiple times. This is required, in part, to support Yubkeys with KeepassXC.

This doesn't solve your immediate problem, but it suggests that this sort of thing is possible.