search

voxpupuli / hiera-eyaml

A backend for Hiera that provides per-value asymmetric encryption of sensitive data
MIT License
527 stars 130 forks source link

Decrypting encrypted files on a client. #100

Open apci-cclaflin opened 10 years ago

apci-cclaflin commented 10 years ago

I apologize for creating an "issue" for this but don't know where else to ask for help. What is the intended use case for encrypting/decrypting entire files?

I have hiera-eyaml working when I encrypt a string (such as a password) using: eyaml encrypt -s 'hello there' I then take the string output from that command and put it in either the environment or fqdn yaml file of a client. When puppet runs on the client it decrypts the hiera variable properly.

I'm running into an issue when trying to encrypt nginx website SSL certificates. The string that is created is so large that vi complains about the maxmemsetting and adding it to my env/fqdn yaml makes those harder to keep organized.

What we have in place now is that the website.key & website.crt data is stored in separate files in the files directory of our nginx module. I would like to encrypt those files and then have puppet decrypt the on the client.

When I use the command "eyaml encrypt -f filename" to encrypt the .crt & .key files and past the string output into another file I am able to verify the website ssl certificate data is there using the "eyaml edit filename" command. However, if I use the block output then the eyaml edit command still shows the data to be encrypted.

I've tried putting the encrypted string output in both website.crt and website.crt.yaml files and in both cases the output on the client is still encrypted.

I'm sure that it is something I'm doing wrong but can't find thorough documentation to help me resolve it.

Here are my software versions:

Ubuntu 12.04
puppetmaster: 3.6.0-1puppetlabs1
puppet: 3.6.0-1puppetlabs1
gems:
daemon_controller (1.2.0)
gpgme (2.0.5)
hiera (1.3.4)
hiera-eyaml (2.0.2)
highline (1.6.21)
json_pure (1.8.1)
mini_portile (0.6.0)
msgpack (0.5.8)
passenger (4.0.45)
rack (1.5.2)
rake (10.3.2)
trollop (2.0)

Here is my hiera.yaml file:


---
:backends:
    - eyaml
    - yaml
    - puppet
:logger: console
:hierarchy:
    - fqdn/%{fqdn}
    - env/%{environment}
    - common
:eyaml:
    :datadir: "/etc/puppet/hieradata"
    :extension: 'yaml'
    :pkcs7_private_key: /etc/puppet/keys/private_key.pkcs7.pem
    :pkcs7_public_key:  /etc/puppet/keys/public_key.pkcs7.pem
:yaml:
    :datadir: "/etc/puppet/hieradata"
:puppet:
    :datasource: data

And here is the section of the module manifest that is creating the file:

    file { "${ssl_key}":
      owner   => root,
      group   => root,
      mode    => 600,
      replace => true,
      source  => "puppet:///modules/nginx/${ssl_file}.key.yaml"
    }
gtmtech commented 10 years ago

Did you get anywhere with this @apci-cclaflin or do you still want help with it?

apci-cclaflin commented 10 years ago

I just split up the yaml files and put the encrypted content in one file and the non-encrypted content in another file so that I can keep the files organized.

I am still curious as to what the use case is if it's not being able to decrypt the encrypted files on the fly.

gtmtech commented 9 years ago

eyaml edit expects the input file to be an .eyaml format file - that is, at the very least a file which also conforms to the YAML spec.

The eyaml encrypt -f MY_KEY_FILE -o block format will return you an ENC block suitable for including elsewhere, however it is not an eyaml file in itself, and so this will not work:

eyaml encrypt -f my_key.pem -o block > super_secret_file.eyaml
eyaml edit super_secret_file.eyaml  # wont decrypt it

However, you can generate a YAML block by giving it a label as follows:

eyaml encrypt -f my_key.pem -o block -l my_secret_key > super_secret_file.eyaml
eyaml edit super_secret_file.eyaml  # this will work

eyaml -o also comes with type examples to show you how you could include a secret in multiple ways in your eyaml files:

eyaml encrypt -f my_key.pem -o examples > super_secret_file.eyaml
eyaml edit super_secret_file.eyaml # this will also work

Is this what you were asking?

gtmtech commented 9 years ago

bump @apci-cclaflin

jordigg commented 8 years ago

Sorry to bump this old question but I have the same problem. I have tried with eyaml encrypt -f my_key.pem -o block -l my_secret_key > super_secret_file.eyaml and even though I can encrypt/unencrypt and edit on the puppetserver I keep getting the file with the encrypted content on the agent. Other single encrypted parameters work just fine but I can't handle full files. What am I doing wrong?

thanks for your help!

mpdude commented 8 years ago

bump Seems to be the same question as in #197.