Retrieving secrets via external command

Plakar can retrieve a Kloset Store passphrase by executing an external command. The command must write the passphrase to standard output. This lets you integrate password managers or secret stores instead of keeping the passphrase in plain text in the Plakar configuration.

By default, Plakar prompts for the store passphrase on every command where an action is done to the store. You can avoid this by storing it in the configuration, but that keeps it in plain text on disk.

For better security, you can delegate passphrase retrieval to an external secret manager such as 1Password, gopass, or HashiCorp Vault so the passphrase is never stored in plain text and access can be audited or revoked through the secret manager itself.

Pass passphrase_cmd when adding the store:

$ plakar store add mystore \
  location=/var/backups \
  passphrase_cmd='gopass show mystore/passphrase'

Or update an existing store:

$ plakar store set mystore passphrase_cmd='gopass show mystore/passphrase'

When you access the store, Plakar executes the command, reads its stdout, and uses the result as the passphrase:

$ plakar at "@mystore" ls

$ passphrase_cmd='gopass show mystore/passphrase'

$ passphrase_cmd='op read "op://Personal/mystore/password"'

$ passphrase_cmd='vault kv get -field=password secret/mystore'

The only hard requirement is that the command must not read from stdin. Plakar does not connect a terminal to the command’s stdin, so anything that attempts to read from it will fail. System-level prompts (biometrics, OS dialogs, GUI windows) are fine as long as they do not need input typed into the terminal.

The command must write only the passphrase to stdout. Any extra output will be treated as part of the passphrase.

External command resolution is currently limited to the passphrase. Work is underway to extend this to other configuration fields such as storage credentials and tokens.