chef-encrypted-attributes 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 81a47b4f918da2922455d6f7ad7b30905f62f4b4
-  data.tar.gz: 8addbdca43184f9f8667cb4892caeaa611dbbc29
+  metadata.gz: e6d1bc69146514a06cc1e531b167dcc1181d2076
+  data.tar.gz: f0bd3f332555ff57c8fc1340d855df6ef8c98615
 SHA512:
-  metadata.gz: 7fbcf0de4167e824004e14ec8f8989f3faa3b802d27d470ac2fbd2c7fd16af34f706286b1b4a605f1427ab2db07f01a66994276b097b4dfa7a139d0255bd70e7
-  data.tar.gz: 2cc100fdfc8c09f5697a46d5c0765ef1815df93974da30ea154baafb4a76921797abe9a83e54edc9e688d02e793dcff82779ed2f307bc90e17aa19d9c0de200a
+  metadata.gz: 3e62b8c12e4dcb98b2fee808e01a8ca27e390cd434e3c4bcb9c53720ed0965ec2ecb6fcb4e9f476c03e645046d1a209912e6941663daa459eaff7534e0271124
+  data.tar.gz: aa3e2077dd7c68289ff0e7c79ffbfc928c5ae3e3dcd94bba77471ec478e7f6ec0bfe29de80f6cf4b5aeeb320ed88ddd8869f95cf2fc701d4830c64d41fb9e6ef

data/.yardopts

@@ -0,0 +1,8 @@
+--markup markdown
+-
+CHANGELOG.md
+CONTRIBUTING.md
+KNIFE.md
+README.md
+TESTING.md
+TODO.md

data/CHANGELOG.md

@@ -2,13 +2,49 @@
 
 This file is used to list changes made in each version of `chef-encrypted-attributes`.
 
-## 0.3.0:
+## 0.4.0 (2014-12-10)
+
+* Add Chef `12` support.
+* Read `node['public_key']` instead of client public key when set.
+* Add *chef/encrypted_attributes* library file.
+ * **Deprecates** *chef-encrypted-attributes* library file.
+* Replace `yajl` gem by `ffi_yajl` gem.
+* Gemspec: fix Ruby `< 1.9.3` support (mixlib-shellout `< 1.6.1`).
+* Rename `InvalidPrivateKey` exception to `InvalidKey`.
+* Add UTF-8 encoding header to all files.
+* Big code refactor and clean-up.
+  * Code refactor all clases.
+  * Add `Chef::EncryptedAttribute::API` module.
+  * Clean-up Gemspec and Rakefile files code.
+
+* Tests:
+ * Review and clean-up all tests.
+ * Integrate tests with `should_not` gem.
+ * Integrate with RuboCop.
+ * Add some knife unit tests.
+ * Update tests to RSpec `3.1`.
+ * Update tests to chef-zero `3.2`.
+
+* Documentation:
+ * Document all classes and integrate them with yard and inch.
+ * Add KNIFE.md file.
+ * Move INTERNAL.md documentation to gem documentation.
+ * Move API.md documentation to gem documentation.
+ * README:
+  * Multiple fixes and improvements.
+  * Use chef.io domain for links.
+  * Add codeclimate badge.
+  * Add inch-ci documentation badge.
+ * Fix CHANGELOG format.
+ * CONTRIBUTING: add documetation about documentation.
+
+## 0.3.0 (2014-08-25)
 
 * gemspec: added the missing CONTRIBUTING.md file
 * README: replaced exist_on_node? by exist? in users_data_bag example
 * Added the required `:node_search` option (fixes the `"role:..."` examples).
 
-## 0.2.0:
+## 0.2.0 (2014-08-12)
 
 * Deprecate `#exists?` methods in favor of `#exist?` methods
 * Fixed all RSpec deprecation warnings
@@ -20,7 +56,7 @@ This file is used to list changes made in each version of `chef-encrypted-attrib
 * Added gem signing certificate
 * gemspec: added dev dependency versions with pessimistic operator
 
-## 0.1.1:
+## 0.1.1 (2014-05-23)
 
 * gemspec: replaced open-ended chef dependency by `~> 11.4`
 * Fixed ruby `1.9.2` decryption (uses `PKCS#1` for public key format)
@@ -28,6 +64,6 @@ This file is used to list changes made in each version of `chef-encrypted-attrib
 * INTERNAL doc: added `EncryptedMash` class name to the Version0 structure
 * Added shields.io badges
 
-## 0.1.0:
+## 0.1.0 (2014-05-21)
 
 * Initial release of `chef-encrypted-attributes`

data/CONTRIBUTING.md

@@ -1,13 +1,14 @@
 Contributing
 ============
 
-1. [Fork the repository on Github](https://help.github.com/articles/fork-a-repo).
+1. [Fork the repository on GitHub](https://help.github.com/articles/fork-a-repo).
 2. Create a named feature branch (`$ git checkout -b my-new-feature`).
 3. Write tests for your change (if applicable).
 4. Write your change.
-5. [Run the tests](TESTING.md), ensuring they all pass (`$ bundle exec rake`). Try as much as possible **not to reduce coverage**.
-6. Commit your change (`$ git commit -am 'Add some feature'`).
-7. Push to the branch (`$ git push origin my-new-feature`).
-8. [Submit a Pull Request using Github](https://help.github.com/articles/creating-a-pull-request).
+5. Add documentation to your change.
+6. [Run the tests](https://github.com/onddo/chef-encrypted-attributes/blob/master/TESTING.md), ensuring they all pass (`$ bundle exec rake`). Try as much as possible **not to reduce coverage**.
+7. Commit your change (`$ git commit -am 'Add some feature'`).
+8. Push to the branch (`$ git push origin my-new-feature`).
+9. [Submit a Pull Request using GitHub](https://help.github.com/articles/creating-a-pull-request).
 
-You can see the [TODO.md](TODO.md) file if you're looking for inspiration.
+You can see the [TODO.md](https://github.com/onddo/chef-encrypted-attributes/blob/master/TODO.md) file if you're looking for inspiration.

data/KNIFE.md

@@ -0,0 +1,151 @@
+# Knife Commands
+
+There are multiple commands to read, create and modify the encrypted attributes. All the commands will grant access privileges to the affected node by default (encrypted attributes are written in Node Attributes). But you will not be allowed to access them by default, so remember to give your own knife user privileges before creating or saving the attribute.
+
+The `ATTRIBUTE` name must be specified using *dots* notation. For example, for `node['encrypted']['attribute']`, you must specify `"encrypted.attribute"` as knife argument. If the attribute key has a *dot* in its name, you must escape it. For example: `"encrypted.attribute\.with\.dots"`.
+
+Read the [Chef Users Limitation](http://onddo.github.io/chef-encrypted-attributes/#chef-user-keys-access-limitation) caveat before trying to use any knife command.
+
+## Installing the Required Gem
+
+You need to install the `chef-encrypted-attributes` gem before using this knife commands.
+
+    $ gem install chef-encrypted-attributes
+
+## knife.rb
+
+Some configuration values can be set in your local `knife.rb` configuration file inside the `knife[:encrypted_attributes]` configuraiton space. For example:
+
+```ruby
+knife[:encrypted_attributes][:users] = '*' # allow access to all knife users
+```
+
+See the [API Configuration](http://www.rubydoc.info/gems/chef-encrypted-attributes/Chef/EncryptedAttribute/API.html#Configuration) section for more configuration values.
+
+## knife encrypted attribute show
+
+Shows the decrypted attribute content.
+
+    $ knife encrypted attribute show NODE ATTRIBUTE (options)
+
+For example:
+
+    $ knife encrypted attribute show ftp.example.com myapp.ftp_password
+
+## knife encrypted attribute create
+
+Creates an encrypted attribute in a node. The attribute cannot already exist.
+
+    $ knife encrypted attribute create NODE ATTRIBUTE (options)
+
+If the input is in JSON format (`-i`), you can create a JSON in *quirk* mode like `false`, `5` or `"some string"`. You don't need to create an Array or a Hash as the JSON standard forces.
+
+For example:
+
+    $ export EDITOR=vi
+    $ knife encrypted attribute create ftp.example.com myapp.ftp_password \
+        -U bob -U alice
+
+## knife encrypted attribute update
+
+Updates who can read the attribute (for `:client_search` and `:node_search` changes).
+
+    $ knife encrypted attribute update NODE ATTRIBUTE (options)
+
+**You must be careful to pass the same privilege arguments that you used in its creation** (this will surely be fixed in a future).
+
+For example:
+
+    $ knife encrypted attribute update ftp.example.com myapp.ftp_password \
+        --client-search admin:true \
+        --node-search role:webapp \
+        -U bob -U alice
+
+## knife encrypted attribute edit
+
+Edits an existing encrypted attribute. The attribute must exist.
+
+    $ knife encrypted attribute edit NODE ATTRIBUTE (options)
+
+If the input is in JSON format (`-i`), you can create a JSON in *quirk* mode like `false`, `5` or `"some string"`. You don't need to create an Array or a Hash as the JSON standard forces.
+
+**You must be careful to pass the same privilege arguments that you used in its creation** (this will surely be fixed in a future).
+
+For example:
+
+    $ export EDITOR=vi
+    $ knife encrypted attribute edit ftp.example.com myapp.ftp_password \
+        --client-search admin:true \
+        --node-search role:webapp \
+        -U bob -U alice
+
+## knife encrypted attribute delete
+
+Deletes an existing attribute. If you have no privileges to read it, you must use the `--force` flag.
+
+    $ knife encrypted attribute delete NODE ATTRIBUTE (options)
+
+For example:
+
+    $ knife encrypted attribute delete ftp.example.com myapp.ftp_password --force
+
+## Knife Options
+
+<table>
+  <tr>
+    <th>Short</th>
+    <th>Long</th>
+    <th>Description</th>
+    <th>Valid Values</th>
+    <th>Sub-Commands</th>
+  </tr>
+  <tr>
+    <td>&nbsp;</td>
+    <td>--encrypted-attribute-version</td>
+    <td>Encrypted Attribute protocol version to use</td>
+    <td>"0", "1" <em>(default)</em>, "2"</td>
+    <td>create, edit, update</td>
+  </tr>
+  <tr>
+    <td>-P</td>
+    <td>--disable-partial-search</td>
+    <td>Disable partial search</td>
+    <td>&nbsp;</td>
+    <td>create, edit, update</td>
+  </tr>
+  <tr>
+    <td>-C</td>
+    <td>--client-search</td>
+    <td>Client search query. Can be specified multiple times</td>
+    <td>&nbsp;</td>
+    <td>create, edit, update</td>
+  </tr>
+  <tr>
+    <td>-N</td>
+    <td>--node-search</td>
+    <td>Node search query. Can be specified multiple times</td>
+    <td>&nbsp;</td>
+    <td>create, edit, update</td>
+  </tr>
+  <tr>
+    <td>-U</td>
+    <td>--user</td>
+    <td>User name to allow access to. Can be specified multiple times</td>
+    <td>&nbsp;</td>
+    <td>create, edit, update</td>
+  </tr>
+  <tr>
+    <td>-i</td>
+    <td>--input-format</td>
+    <td>Input (<em>EDITOR</em>) format</td>
+    <td>"plain" <em>(default)</em>, "json"</td>
+    <td>create, edit</td>
+  </tr>
+  <tr>
+    <td>-f</td>
+    <td>--force</td>
+    <td>Force the attribute deletion even if you cannot read it</td>
+    <td>&nbsp;</td>
+    <td>delete</td>
+  </tr>
+</table>

data/README.md

@@ -1,12 +1,14 @@
 # Chef-Encrypted-Attributes
 [![Gem Version](http://img.shields.io/gem/v/chef-encrypted-attributes.svg?style=flat)](http://badge.fury.io/rb/chef-encrypted-attributes)
 [![Dependency Status](http://img.shields.io/gemnasium/onddo/chef-encrypted-attributes.svg?style=flat)](https://gemnasium.com/onddo/chef-encrypted-attributes)
-[![Build Status](http://img.shields.io/travis/onddo/chef-encrypted-attributes/0.3.0.svg?style=flat)](https://travis-ci.org/onddo/chef-encrypted-attributes)
-[![Coverage Status](http://img.shields.io/coveralls/onddo/chef-encrypted-attributes/0.3.0.svg?style=flat)](https://coveralls.io/r/onddo/chef-encrypted-attributes?branch=0.3.0)
+[![Code Climate](http://img.shields.io/codeclimate/github/onddo/chef-encrypted-attributes.svg?style=flat)](https://codeclimate.com/github/onddo/chef-encrypted-attributes)
+[![Build Status](http://img.shields.io/travis/onddo/chef-encrypted-attributes/0.4.0.svg?style=flat)](https://travis-ci.org/onddo/chef-encrypted-attributes)
+[![Coverage Status](http://img.shields.io/coveralls/onddo/chef-encrypted-attributes/0.4.0.svg?style=flat)](https://coveralls.io/r/onddo/chef-encrypted-attributes?branch=0.4.0)
+[![Inline docs](http://inch-ci.org/github/onddo/chef-encrypted-attributes.svg?branch=0.4.0&style=flat)](http://inch-ci.org/github/onddo/chef-encrypted-attributes)
 
-[Chef](http://www.getchef.com) plugin to add Node encrypted attributes support using client keys.
+[Chef](https://www.chef.io/) plugin to add Node encrypted attributes support using client keys.
 
-We recommend using the [encrypted_attributes cookbook](http://community.opscode.com/cookbooks/encrypted_attributes) for easy installation.
+We recommend using the [`encrypted_attributes`](https://supermarket.chef.io/cookbooks/encrypted_attributes) cookbook for easy installation.
 
 ## Description
 
@@ -18,7 +20,7 @@ Node attributes are encrypted using chef client and user keys with public key in
 
 * Ruby `>= 1.9`
 * Chef Client `~> 11.4`
-* yajl-ruby `~> 1.1` (included with Chef)
+* ffi_yajl `~> 1.0` (included with Chef)
 * If you want to use protocol version 2 to use [GCM](http://en.wikipedia.org/wiki/Galois/Counter_Mode) (disabled by default):
  * Ruby `>= 2`.
  * OpenSSL `>= 1.0.1`.
@@ -30,8 +32,8 @@ Node attributes are encrypted using chef client and user keys with public key in
 You need to install and include the `chef-encrypted-attributes` gem before using encrypted attributes inside a cookbook.
 
 ```ruby
-chef_gem "chef-encrypted-attributes"
-require "chef-encrypted-attributes"
+chef_gem 'chef-encrypted-attributes'
+require 'chef/encrypted_attributes'
 ```
 
 ### Typical Example
@@ -39,62 +41,70 @@ require "chef-encrypted-attributes"
 In the following example we save a simple FTP user password.
 
 ```ruby
-chef_gem "chef-encrypted-attributes"
-require "chef-encrypted-attributes"
+chef_gem 'chef-encrypted-attributes'
+require 'chef/encrypted_attributes'
 
-Chef::Recipe.send(:include, Opscode::OpenSSL::Password) # include the #secure_password method
+# include the #secure_password method
+Chef::Recipe.send(:include, Opscode::OpenSSL::Password)
 
-if Chef::EncryptedAttribute.exist?(node["myapp"]["ftp_password"])
+if Chef::EncryptedAttribute.exist?(node['myapp']['ftp_password'])
   # update with the new keys
-  Chef::EncryptedAttribute.update(node.set["myapp"]["ftp_password"])
+  Chef::EncryptedAttribute.update(node.set['myapp']['ftp_password'])
 
   # read the password
-  ftp_pass = Chef::EncryptedAttribute.load(node["myapp"]["ftp_password"])
+  ftp_pass = Chef::EncryptedAttribute.load(node['myapp']['ftp_password'])
 else
   # create the password and save it
   ftp_pass = secure_password
-  node.set["myapp"]["ftp_password"] = Chef::EncryptedAttribute.create(ftp_pass)
+  node.set['myapp']['ftp_password'] = Chef::EncryptedAttribute.create(ftp_pass)
 end
 
 # use `ftp_pass` for something here ...
 ```
 
-**Note:** This example requires the [openssl](http://community.opscode.com/cookbooks/openssl) cookbook.
+**Note:** This example requires the [`openssl`](https://supermarket.chef.io/cookbooks/openssl) cookbook.
 
 ### Minimal Write Only Example
 
 In this example we only need to save some data from the local node and read it from another:
 
 ```ruby
-chef_gem "chef-encrypted-attributes"
-require "chef-encrypted-attributes"
+chef_gem 'chef-encrypted-attributes'
+require 'chef/encrypted_attributes'
 
 # Allow all admin clients to read the attributes encrypted by me
-Chef::Config[:encrypted_attributes][:client_search] = "admin:true"
+Chef::Config[:encrypted_attributes][:client_search] = 'admin:true'
 
 # Allow all webapp nodes to read the attributes encrypted by me
-Chef::Config[:encrypted_attributes][:node_search] = "role:webapp"
+Chef::Config[:encrypted_attributes][:node_search] = 'role:webapp'
 
-if Chef::EncryptedAttribute.exist?(node["myapp"]["encrypted_data"])
-  # when can used #load here as above if we need the `encrypted_data` outside this `if`
+if Chef::EncryptedAttribute.exist?(node['myapp']['encrypted_data'])
+  # when can used #load here as above if we need the `encrypted_data` outside
+  # this `if`
 
   # update with the new keys
-  Chef::EncryptedAttribute.update(node.set["myapp"]["encrypted_data"])
+  Chef::EncryptedAttribute.update(node.set['myapp']['encrypted_data'])
 else
   # create the data, encrypt and save it
   data_to_encrypt = # ....
-  node.set["myapp"]["encrypted_data"] = Chef::EncryptedAttribute.create(data_to_encrypt)
+  node.set['myapp']['encrypted_data'] =
+    Chef::EncryptedAttribute.create(data_to_encrypt)
 end
 ```
 
-Then we can read this attribute from another allowed node (a `"role:webapp"` node):
+Then we can read this attribute from another allowed node (a `'role:webapp'` node):
 
 ```ruby
-chef_gem "chef-encrypted-attributes"
-require "chef-encrypted-attributes"
+include_recipe 'encrypted_attributes'
+# Expose the public key for encryption
+include_recipe 'encrypted_attributes::expose_key'
 
-if Chef::EncryptedAttribute.exist_on_node?("random.example.com", ["myapp", "encrypted_data"])
-  data = Chef::EncryptedAttribute.load_from_node("random.example.com", ["myapp", "encrypted_data"])
+if Chef::EncryptedAttribute.exist_on_node?(
+     'random.example.com', %w(myapp encrypted_data)
+   )
+  data = Chef::EncryptedAttribute.load_from_node(
+    'random.example.com', %w(myapp encrypted_data)
+  )
 
   # use `data` for something here ...
 end
@@ -104,7 +114,7 @@ end
 
 ### Example Using User Keys Data Bag
 
-Suppose we want to store users public keys in a data bag and give them access to the attributes. This can be a workaround for the [Chef Users Limitation](README.md#chef-users-limitation) problem.
+Suppose we want to store users public keys in a data bag and give them access to the attributes. This can be a workaround for the [Chef Users Limitation](#chef-user-keys-access-limitation) problem.
 
 You need to create a Data Bag Item with a content similar to the following:
 
@@ -121,13 +131,16 @@ This data bag will contain the user public keys retrieved with `knife user show
 Then, from a recipe, you can read this user keys and allow them to read the attributes.
 
 ```ruby
-chef_gem "chef-encrypted-attributes"
-require "chef-encrypted-attributes"
+chef_gem 'chef-encrypted-attributes'
+require 'chef/encrypted_attributes'
 
-chef_users = Chef::DataBagItem.load("global_data_bag", "chef_users")
-chef_users.delete("id") # remove the data bag "id" to avoid to confuse it with a user
+chef_users = Chef::DataBagItem.load('global_data_bag', 'chef_users')
+# remove the data bag "id" to avoid to confuse it with a user:
+chef_users.delete('id')
 
-Chef::Log.debug("Admin users able to read the Encrypted Attributes: #{chef_users.keys.inspect}")
+Chef::Log.debug(
+  "Chef Users able to read the Encrypted Attributes: #{chef_users.keys.inspect}"
+)
 Chef::Config[:encrypted_attributes][:keys] = chef_users.values
 
 # if Chef::EncryptedAttribute.exist?(...)
@@ -141,185 +154,50 @@ Chef::Config[:encrypted_attributes][:keys] = chef_users.values
 
 ## Chef::EncryptedAttribute API
 
-See the [API.md](API.md) file for a more detailed documentation about `Chef::EncryptedAttribute` class and its methods.
+See the [API documentation](http://www.rubydoc.info/gems/chef-encrypted-attributes/Chef/EncryptedAttribute/API.html) for a more detailed information about `Chef::EncryptedAttribute` class and its methods.
 
-## Chef Users Limitation
+## Chef User Keys Access Limitation
 
 Keep in mind that, from a Chef Node, *Chef User* *public keys* are inaccessible. So you have to pass them in raw mode in the recipe if you need any *Chef User* to be able to use the encrypted attributes (this is **required for** example to use the **knife commands** included in this gem, as knife is usually used by *Chef Users*). Summarizing, Chef Node inside a recipe (using its *Chef Client* key) will not be able to retrieve the *Chef Users* *public keys*, so you need to pass them using the `[:keys]` configuration value.
 
 Chef Nodes (Clients) with *admin* privileges do have access to user public keys, but in most cases this is not a recommended practice.
 
-*Chef Client* *public keys* do not have this problem, you can retrieve them from any place without limitation. You can use knife with an *Chef Admin Client* instead of a *Chef Admin User* key, but this is not common.
-
-See the [Example Using User Keys Data Bag](README.md#example-using-user-keys-data-bag) section for a workaround.
+See the [Example Using User Keys Data Bag](#example-using-user-keys-data-bag) section for a workaround. You can use the [`encrypted_attributes::users_data_bag`](https://supermarket.chef.io/cookbooks/encrypted_attributes#encrypted_attributes::users_data_bag) recipe for this.
 
 **Note:** *Chef Clients* usually are Chef Nodes and *chef-validation*/*chef-webui* keys. *Chef Users* usually are knife users. The main difference between *Chef Users* and *Chef Clients* is that the former are able to log in via *web-ui* (has a password).
 
-## Knife Commands
-
-There are multiple commands to read, create and modify the encrypted attributes. All the commands will grant access privileges to the affected node by default (encrypted attributes are written in Node Attributes). But you will not be allowed to access them by default, so remember to give your own knife user privileges before creating or saving the attribute.
-
-The `ATTRIBUTE` name must be specified using *dots* notation. For example, for `node['encrypted']['attribute']`, you must specify `"encrypted.attribute"` as knife argument. If the attribute key has a *dot* in its name, you must escape it. For example: `"encrypted.attribute\.with\.dots"`.
-
-Read the [Chef Users Limitation](README.md#chef-users-limitation) caveat before trying to use any knife command.
-
-### Installing the Required Gem
-
-You need to install the `chef-encrypted-attributes` gem before using this knife commands.
-
-    $ gem install chef-encrypted-attributes
-
-### knife.rb
-
-Some configuration values can be set in your local `knife.rb` configuration file inside the `knife[:encrypted_attributes]` configuraiton space. For example:
-
-```ruby
-knife[:encrypted_attributes][:users] = '*' # allow access to all knife users
-```
-
-See the [API Configuration](API.md#configuration) section for more configuration values.
-
-### knife encrypted attribute show
-
-Shows the decrypted attribute content.
-
-    $ knife encrypted attribute show NODE ATTRIBUTE (options)
-
-For example:
-
-    $ knife encrypted attribute show ftp.example.com myapp.ftp_password
+## Chef Client Keys Access Limitation
 
-### knife encrypted attribute create
+*Chef Client* *public keys* has a [similar problem to the user keys](#chef-user-keys-access-limitation), you cannot retrieve them from a Chef Node.
 
-Creates an encrypted attribute in a node. The attribute cannot already exist.
+To fix this limitation you should expose de *Chef Client* *public key* in the `node['public_key']` attribute. You can include the [`encrypted_attributes::expose_key`](https://supermarket.chef.io/cookbooks/encrypted_attributes#encrypted_attributes::expose_key) recipe for this. You need to include this recipe in the *Chef Nodes* that require read privileges on the encrypted attributes.
 
-    $ knife encrypted attribute create NODE ATTRIBUTE (options)
+Exposing the public key through attributes should not be considered a security breach, so it's not a problem to include it on all machines.
 
-If the input is in JSON format (`-i`), you can create a JSON in *quirk* mode like `false`, `5` or `"some string"`. You don't need to create an Array or a Hash as the JSON standard forces.
-
-For example:
-
-    $ export EDITOR=vi
-    $ knife encrypted attribute create ftp.example.com myapp.ftp_password \
-        -U bob -U alice
-
-### knife encrypted attribute update
-
-Updates who can read the attribute (for `:client_search` and `:node_search` changes).
-
-    $ knife encrypted attribute update NODE ATTRIBUTE (options)
-
-**You must be careful to pass the same privilege arguments that you used in its creation** (this will surely be fixed in a future).
-
-For example:
-
-    $ knife encrypted attribute update ftp.example.com myapp.ftp_password \
-        --client-search admin:true \
-        --node-search role:webapp \
-        -U bob -U alice
-
-### knife encrypted attribute edit
-
-Edits an existing encrypted attribute. The attribute must exist.
-
-    $ knife encrypted attribute edit NODE ATTRIBUTE (options)
-
-If the input is in JSON format (`-i`), you can create a JSON in *quirk* mode like `false`, `5` or `"some string"`. You don't need to create an Array or a Hash as the JSON standard forces.
-
-**You must be careful to pass the same privilege arguments that you used in its creation** (this will surely be fixed in a future).
-
-For example:
-
-    $ export EDITOR=vi
-    $ knife encrypted attribute edit ftp.example.com myapp.ftp_password \
-        --client-search admin:true \
-        --node-search role:webapp \
-        -U bob -U alice
-
-### knife encrypted attribute delete
-
-Deletes an existing attribute. If you have no privileges to read it, you must use the `--force` flag.
+## Knife Commands
 
-    $ knife encrypted attribute delete NODE ATTRIBUTE (options)
+See the [KNIFE.md](http://www.rubydoc.info/gems/chef-encrypted-attributes/file/KNIFE.md) file.
 
-For example:
+## Internal Low Level Documentation
 
-    $ knife encrypted attribute delete ftp.example.com myapp.ftp_password --force
+The cryptographic systems used are documented in the following classes:
 
-### Knife Options
+* [EncryptedMash](http://www.rubydoc.info/gems/chef-encrypted-attributes/Chef/EncryptedAttribute/EncryptedMash)
+ * [EncryptedMash::Version0](http://www.rubydoc.info/gems/chef-encrypted-attributes/Chef/EncryptedAttribute/EncryptedMash/Version0)
+ * [EncryptedMash::Version1](http://www.rubydoc.info/gems/chef-encrypted-attributes/Chef/EncryptedAttribute/EncryptedMash/Version1)
+ * [EncryptedMash::Version2](http://www.rubydoc.info/gems/chef-encrypted-attributes/Chef/EncryptedAttribute/EncryptedMash/Version2)
 
-<table>
-  <tr>
-    <th>Short</th>
-    <th>Long</th>
-    <th>Description</th>
-    <th>Valid Values</th>
-    <th>Sub-Commands</th>
-  </tr>
-  <tr>
-    <td>&nbsp;</td>
-    <td>--encrypted-attribute-version</td>
-    <td>Encrypted Attribute protocol version to use</td>
-    <td>"0", "1" <em>(default)</em>, "2"</td>
-    <td>create, edit, update</td>
-  </tr>
-  <tr>
-    <td>-P</td>
-    <td>--disable-partial-search</td>
-    <td>Disable partial search</td>
-    <td>&nbsp;</td>
-    <td>create, edit, update</td>
-  </tr>
-  <tr>
-    <td>-C</td>
-    <td>--client-search</td>
-    <td>Client search query. Can be specified multiple times</td>
-    <td>&nbsp;</td>
-    <td>create, edit, update</td>
-  </tr>
-  <tr>
-    <td>-N</td>
-    <td>--node-search</td>
-    <td>Node search query. Can be specified multiple times</td>
-    <td>&nbsp;</td>
-    <td>create, edit, update</td>
-  </tr>
-  <tr>
-    <td>-U</td>
-    <td>--user</td>
-    <td>User name to allow access to. Can be specified multiple times</td>
-    <td>&nbsp;</td>
-    <td>create, edit, update</td>
-  </tr>
-  <tr>
-    <td>-i</td>
-    <td>--input-format</td>
-    <td>Input (<em>EDITOR</em>) format</td>
-    <td>"plain" <em>(default)</em>, "json"</td>
-    <td>create, edit</td>
-  </tr>
-  <tr>
-    <td>-f</td>
-    <td>--force</td>
-    <td>Force the attribute deletion even if you cannot read it</td>
-    <td>&nbsp;</td>
-    <td>delete</td>
-  </tr>
-</table>
-
-## Internal Documentation
-
-See the [INTERNAL.md](INTERNAL.md) file for a more low level documentation.
+See the [official gem documentation](http://www.rubydoc.info/gems/chef-encrypted-attributes/) for more information.
 
 ## Using Signed Gems
 
 The `chef-encrypted-attributes` gem is cryptographically signed by Onddo Labs's certificate, which identifies as *team@onddo.com*. You can obtain the official signature here:
 
-    https://raw.github.com/onddo/chef-encrypted-attributes/master/certs/team_onddo.crt
+    https://raw.github.com/onddo/chef-encrypted-attributes/0.4.0/certs/team_onddo.crt
 
 To be sure the gem you install has not been tampered with:
 
-    $ gem cert --add <(curl -Ls https://raw.github.com/onddo/chef-encrypted-attributes/master/certs/team_onddo.crt)
+    $ gem cert --add <(curl -Ls https://raw.github.com/onddo/chef-encrypted-attributes/0.4.0/certs/team_onddo.crt)
     $ gem install chef-encrypted-attributes -P MediumSecurity
 
 The *MediumSecurity* trust profile will verify signed gems, but allow the installation of unsigned dependencies. This is necessary because not all of `chef-encrypted-attributes`'s dependencies are signed, so we cannot use *HighSecurity*.
@@ -330,7 +208,7 @@ We recommend to remove our certificate after the gem has been successfully verif
 
 ## Security Notes
 
-All the cryptographic systems and algorithms used by `chef-encrypted-attributes` are carefully described in the [internal documentation](INTERNAL.md) for public review. The code was originally based on *Encrypted Data Bags* and [chef-vault](https://github.com/Nordstrom/chef-vault) implementations, then improved.
+All the cryptographic systems and algorithms used by `chef-encrypted-attributes` are carefully described in the [internal documentation](#internal-low-level-documentation) for public review. The code was originally based on *Encrypted Data Bags* and [chef-vault](https://github.com/Nordstrom/chef-vault) implementations, then improved.
 
 Still, this gem should be considered experimental until audited by professional cryptographers.
 
@@ -338,7 +216,7 @@ Still, this gem should be considered experimental until audited by professional
 
 If you have discovered a bug in `chef-encrypted-attributes` of a sensitive nature, i.e.  one which can compromise the security of `chef-encrypted-attributes` users, you can report it securely by sending a GPG encrypted message. Please use the following key:
 
-    https://raw.github.com/onddo/chef-encrypted-attributes/master/zuazo.gpg
+    https://raw.github.com/onddo/chef-encrypted-attributes/0.4.0/zuazo.gpg
 
 The key fingerprint is (or should be):
 
@@ -346,17 +224,17 @@ The key fingerprint is (or should be):
 
 ## Testing
 
-See [TESTING.md](TESTING.md).
+See [TESTING.md]((https://github.com/onddo/chef-encrypted-attributes/blob/master/TESTING.md).
 
 ## Contributing
 
 Please do not hesitate to [open an issue](https://github.com/onddo/chef-encrypted-attributes/issues/new) with any questions or problems.
 
-See [CONTRIBUTING.md](CONTRIBUTING.md).
+See [CONTRIBUTING.md](https://github.com/onddo/chef-encrypted-attributes/blob/master/CONTRIBUTING.md).
 
 ## TODO
 
-See [TODO.md](TODO.md).
+See [TODO.md](https://github.com/onddo/chef-encrypted-attributes/blob/master/TODO.md).
 
 ## License and Author