Feature - Optional obfuscation of the secrets in the output

Question

Feature - Optional obfuscation of the secrets in the output

r0bb3n opened this issue a year ago · 4 comments

Hi,

I am considering to use your nice tool for some automated change tracking. For my scenario the actual value of the password field is not relevant but rather a security risk if this is readable in the output.

Therefore I wanted to suggest a CLI option that leads to an obfuscation of this sensitive data (e.g. replaced by *** , <omitted>, [masked]) when printing.

Unfortunately I have no clue about Rust, otherwise I would have thought about providing a PR for that.

Let me know, what you think about this idea. Thanks.

Best regards,
r0bb3n

Answer 1 · 2023-08-27T17:16:58.000Z

Hi @r0bb3n, would it make sense to have a "--quiet" flag to remove all output and give a hint through the exit code whether two files match or not?

Answer 2 · 2023-09-08T07:12:37.000Z

Hi @Narigo ,
no, that would not really help, because I still need to identify the entries that have changed.
Saying that, in my case it would be also fine, if no properties of a modified entry is printed - if that might be easier to achieve. 🤔

Answer 3 · 2023-09-10T00:23:19.000Z

I think we can do what you proposed. At least there are different kind of fields / entries: Protected, Unprotected and Binary. The Protected is passwords and instead of just showing their content, we can put in something like *** MASKED *** 🤔

Answer 4 · 2023-09-10T07:58:17.000Z

Hi, wasn't aware of such a type. I agree that this would be a more sustainable approach than focussing on the password field only.
For the actual masking value I am fine with your proposal but we might need to have two values to avoid producing two diff lines with same content? 🤔

Maybe something like this:

- [Root, My Entry, Password = *** MASKED A ***]
+ [Root, My Entry, Password = *** MASKED B ***]