Add manage command

[dooferlad]

Prior to this change, if we wanted to add or remove a master key, we had to rotate the data key. While there is nothing wrong with rotating the data key, having to do so at the same time as adding or removing a master key makes git history noisy.

This change adds a manage command, which allows separate master key management to data key rotation.

[felixfontein]

Sorry that I didn't think about this earlier, but adding new master keys without cycling the data password also has potential security implications that can be dangerous. Think of a devops git repo where a file is readable by users A and B and contains some high-value secrets. At some point it is decided that parts of that file also need to be readable by C, so the things that should not be read by C are moved to another file, and then this command is used to give C access to this file.

Since the data key has not been cycled, C now has access to the data key and to the git history, allowing C to also read the parts that C was not supposed to be able to read.

This is probably why so far there's only rotate, which always rotates the data key.

[dooferlad]

That is reasonable - do you think this could land with a big fat warning? In my case we wanted to add a second key so we had a backup key and there isn't a history problem. I really don't mind dropping this since I have already used it locally.

[felixfontein]

I personally think it is ok with a big fat warning, since there are cases (like the one you are describing) where this is really useful. But I'm just a random person making comments here, my opinion doesn't count that much ;) @ajvb what do you think?