To encrypt and decrypt secret attributes, Tabulify uses a passphrase.
This passphrase is used to generate a cryptographic key for the encryption.
In Tabli, the passphrase can be given with the --passphrase global option.
According to the Kerckhoffs' principle only secrecy of the key provides security, you should take great care of your passphrase
In an development environment, a passphrase could be shared broadly because the data should have no secrecy character.
In an production environment, the passphrase should be manipulated with care and be kept private.
You can achieve with several methods. We give two methods below.
A wrapper script is a script that wraps the command with the following permissions:
- no read (can't be read)
The script can be executed but cannot be read by the user.
tabli --passphrase secret "$@"
If your environment has a credential vault functionality with SSO, you could retrieve it programmatically based on the credentials of the logged user.