chef-vault 1.0.0

data/.gitignore

@@ -0,0 +1 @@
+*.gem

data/README.rdoc

@@ -0,0 +1,100 @@
+
+= Chef-Vault
+
+= DESCRIPTION:
+
+Gem that allows you to encrypt passwords & certificates using the public key of
+a list of chef nodes.  This allows only those chef nodes to decrypt the 
+password or certificate.
+
+= INSTALLATION:
+
+Be sure you are running the latest version Chef. Versions earlier than 0.10.0
+don't support plugins:
+
+    gem install chef
+
+This plugin is distributed as a Ruby Gem. To install it, run:
+
+    gem install chef-vault
+
+Depending on your system's configuration, you may need to run this command with 
+root privileges.
+
+= CONFIGURATION:
+
+= KNIFE COMMANDS:
+
+This plugin provides the following Knife subcommands.  
+Specific command options can be found by invoking the subcommand with a 
+<tt>--help</tt> flag
+
+== knife encrypt password
+
+Use this knife command to encrypt the username and password that you want to
+protect.
+
+knife encrypt password --search SEARCH --username USERNAME --password PASSWORD --admins ADMINS
+
+== knife decrypt password
+
+Use this knife command to dencrypt the password that is protected
+
+knife decrypt password --username USERNAME
+
+== knife encrypt cert
+
+Use this knife command to encrypt the contents of a certificate that you want
+to protect.
+
+knife encrypt cert --search SEARCH --cert CERT --password PASSWORD --name NAME --admins ADMINS
+
+== knife decrypt cert
+
+Use this knife command to dencrypt the certificate that is protected
+
+knife decrypt cert --name NAME
+
+= USAGE IN RECIPES
+
+To use this gem in a recipe to decrypt data you must first install the gem
+via a chef_gem resource.  Once the gem is installed require the gem and then
+you can create a new instance of ChefVault.
+
+== Example Code (password)
+
+  chef_gem "chef-vault"
+
+  require 'chef-vault'
+
+  vault = ChefVault.new("passwords")
+  user = vault.user("Administrator")
+  password = user.decrypt_password
+
+== Example Code (certificate)
+
+  chef_gem "chef-vault"
+
+  require 'chef-vault'
+
+  vault = ChefVault.new("certs")
+  cert = vault.certificate("domain.com")
+  contents = cert.decrypt_contents
+
+= LICENSE:
+
+Author:: Kevin Moser (<kevin.moser@nordstrom.com>)
+Copyright:: Copyright (c) 2013 Nordstrom, Inc.
+License:: Apache License, Version 2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/chef-vault.gemspec

@@ -0,0 +1,17 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "chef-vault/version"
+
+Gem::Specification.new do |s|
+  s.name             = "chef-vault"
+  s.version          = ChefVault::VERSION
+  s.has_rdoc         = true
+  s.authors          = ["Kevin Moser"]
+  s.email            = ["kevin.moser@nordstrom.com"]
+  s.summary          = "Data encryption support for chef using data bags"
+  s.description      = s.summary
+  
+  s.files            = `git ls-files`.split("\n")
+  s.add_dependency "chef", ">= 0.10.10"
+  s.require_paths = ["lib"]
+end

data/lib/chef-vault.rb

@@ -0,0 +1,43 @@
+#
+# Author:: Kevin Moser (<kevin.moser@nordstrom.com>)
+#
+# Copyright:: 2013, Nordstrom, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef'
+require 'chef-vault/user'
+require 'chef-vault/certificate'
+require 'chef-vault/version'
+
+class ChefVault
+
+  attr_accessor :data_bag
+
+  def initialize(data_bag)
+    @data_bag = data_bag
+  end
+
+  def version
+    VERSION
+  end
+
+  def user(username)
+    ChefVault::User.new(@data_bag, username)
+  end
+
+  def certificate(name)
+    ChefVault::Certificate.new(@data_bag, name)
+  end
+end

data/lib/chef-vault/certificate.rb

@@ -0,0 +1,27 @@
+class ChefVault
+  class Certificate
+    attr_accessor :name
+
+    def initialize(data_bag, name)
+      @name = name
+      @data_bag = data_bag
+    end
+
+    def decrypt_contents
+      # use the private client_key file to create a decryptor
+      private_key = open(Chef::Config[:client_key]).read
+      private_key = OpenSSL::PKey::RSA.new(private_key)
+      keys = Chef::DataBagItem.load(@data_bag, "#{name}_keys")
+
+      unless keys[Chef::Config[:node_name]]
+        throw "#{name} is not encrypted for you!  Rebuild the certificate data bag"
+      end
+
+      node_key = Base64.decode64(keys[Chef::Config[:node_name]])
+      shared_secret = private_key.private_decrypt(node_key)
+      certificate = Chef::EncryptedDataBagItem.load(@data_bag, @name, shared_secret)
+
+      certificate["contents"]
+    end
+  end
+end

data/lib/chef-vault/user.rb

@@ -0,0 +1,27 @@
+class ChefVault
+  class User
+    attr_accessor :username
+
+    def initialize(data_bag, username)
+      @username = username
+      @data_bag = data_bag
+    end
+
+    def decrypt_password
+      # use the private client_key file to create a decryptor
+      private_key = open(Chef::Config[:client_key]).read
+      private_key = OpenSSL::PKey::RSA.new(private_key)
+      keys = Chef::DataBagItem.load(@data_bag, "#{username}_keys")
+
+      unless keys[Chef::Config[:node_name]]
+        throw "Password for #{username} is not encrypted for you!  Rebuild the password data bag"
+      end
+
+      node_key = Base64.decode64(keys[Chef::Config[:node_name]])
+      shared_secret = private_key.private_decrypt(node_key)
+      cred = Chef::EncryptedDataBagItem.load(@data_bag, @username, shared_secret)
+
+      cred["password"]
+    end
+  end
+end

data/lib/chef-vault/version.rb

@@ -0,0 +1,4 @@
+class ChefVault
+  VERSION = "1.0.0"
+  MAJOR, MINOR, TINY = VERSION.split('.')
+end

data/lib/chef/knife/DecryptCert.rb

@@ -0,0 +1,43 @@
+require 'chef/knife'
+
+class DecryptCert < Chef::Knife
+  deps do
+    require 'chef/search/query'
+    require 'chef/shef/ext'
+    require 'json'
+  end
+
+  banner "knife decrypt cert --name NAME"
+
+  option :name,
+    :short => '-N NAME',
+    :long => '--name NAME',
+    :description => 'Certificate data bag name' 
+
+  def run
+    unless config[:name]
+      puts("You must supply a certificate to decrypt")
+      exit 1
+    end
+    Shef::Extensions.extend_context_object(self)
+
+    data_bag = "certs"
+    data_bag_path = "./data_bags/#{data_bag}"
+
+    name = config[:name].gsub(".", "_")
+
+    user_private_key = OpenSSL::PKey::RSA.new(open(Chef::Config[:client_key]).read())
+    key = JSON.parse(IO.read("#{data_bag_path}/#{name}_keys.json"))
+    unless key[Chef::Config[:node_name]]
+      puts("Can't find a key for #{Chef::Config[:node_name]}...  You can't decrypt!")
+      exit 1
+    end
+
+    data_bag_shared_key = user_private_key.private_decrypt(Base64.decode64(key[Chef::Config[:node_name]]))
+
+    certificate = JSON.parse(open("#{data_bag_path}/#{name}.json").read())
+    certificate = Chef::EncryptedDataBagItem.new certificate, data_bag_shared_key
+
+    puts("certificate:\n#{certificate['contents']}")
+  end
+end

data/lib/chef/knife/DecryptPassword.rb

@@ -0,0 +1,42 @@
+require 'chef/knife'
+
+class DecryptPassword < Chef::Knife
+  deps do
+    require 'chef/search/query'
+    require 'chef/shef/ext'
+    require 'json'
+  end
+
+  banner "knife decrypt password --username USERNAME"
+
+  option :username,
+    :short => '-U USERNAME',
+    :long => '--username USERNAME',
+    :description => 'username of account to encrypt' 
+
+  def run
+    unless config[:username]
+      puts("You must supply a username to decrypt")
+      exit 1
+    end
+    Shef::Extensions.extend_context_object(self)
+
+    data_bag_path = "./data_bags/passwords"
+
+    username = config[:username]
+
+    user_private_key = OpenSSL::PKey::RSA.new(open(Chef::Config[:client_key]).read())
+    key = JSON.parse(IO.read("#{data_bag_path}/#{username}_keys.json"))
+    unless key[Chef::Config[:node_name]]
+      puts("Can't find a key for #{Chef::Config[:node_name]}...  You can't decrypt!")
+      exit 1
+    end
+
+    data_bag_shared_key = user_private_key.private_decrypt(Base64.decode64(key[Chef::Config[:node_name]]))
+
+    credential = JSON.parse(open("#{data_bag_path}/#{username}.json").read())
+    credential = Chef::EncryptedDataBagItem.new credential, data_bag_shared_key
+
+    puts("username: #{credential['username']}, password: #{credential['password']}")
+  end
+end

data/lib/chef/knife/EncryptCert.rb

@@ -0,0 +1,165 @@
+require 'chef/knife'
+
+class EncryptCert < Chef::Knife
+  deps do
+    require 'chef/search/query'
+    require 'chef/shef/ext'
+  end
+
+  banner "knife encrypt cert --search SEARCH --cert CERT --password PASSWORD --name NAME --admins ADMINS"
+
+  option :search,
+    :short => '-S SEARCH',
+    :long => '--search SEARCH',
+    :description => 'node search for nodes to encrypt to' 
+
+  option :cert,
+    :short => '-C CERT',
+    :long => '--cert CERT',
+    :description => 'cert with contents to encrypt'
+
+  option :admins,
+    :short => '-A ADMINS',
+    :long => '--admins ADMINS',
+    :description => 'administrators who can decrypt certificate'
+
+  option :password,
+    :short => '-P PASSWORD',
+    :long => '--password PASSWORD',
+    :description => 'optional pfx password' 
+
+  option :name,
+    :short => '-N NAME',
+    :long => '--name NAME',
+    :description => 'optional data bag name' 
+
+  def run
+    unless config[:search]
+      puts("You must supply either -S or --search")
+      exit 1
+    end
+    unless config[:cert]
+      puts("You must supply either -C or --cert")
+      exit 1
+    end
+    unless config[:admins]
+      puts("You must supply either -A or --admins")
+      exit 1
+    end
+    Shef::Extensions.extend_context_object(self)
+
+    data_bag = "certs"
+    data_bag_path = "./data_bags/#{data_bag}"
+
+    node_search = config[:search]
+    admins = config[:admins]
+    file_to_encrypt = config[:cert]
+    contents = open(file_to_encrypt, "rb").read
+    name = config[:name] ? config[:name].gsub(".", "_") : File.basename(file_to_encrypt, ".*").gsub(".", "_")
+    
+    current_dbi = Hash.new
+    current_dbi_keys = Hash.new
+    if File.exists?("#{data_bag_path}/#{name}_keys.json") && File.exists?("#{data_bag_path}/#{name}.json")
+      current_dbi_keys = JSON.parse(open("#{data_bag_path}/#{name}_keys.json").read())
+      current_dbi = JSON.parse(open("#{data_bag_path}/#{name}.json").read())
+
+      unless equal?(data_bag, name, "contents", contents)
+        puts("FATAL: Content in #{data_bag_path}/#{name}.json does not match content in file supplied!")
+        exit 1
+      end
+    else
+      puts("INFO: Existing data bag #{data_bag}/#{name} does not exist in #{data_bag_path}, continuing as fresh build...")
+    end
+
+    # Get the public keys for all of the nodes to encrypt for.  Skipping the nodes that are already in
+    # the data bag
+    keyfob = Hash.new
+    public_keys = search(:node, node_search).map(&:name).map do |client|
+      begin
+        if current_dbi_keys[client]
+          puts("INFO: Skipping #{client} as it is already in the data bag...")
+        else
+          puts("INFO: Adding #{client} to public_key array...")
+          cert_der = api.get("clients/#{client}")['certificate']
+          cert = OpenSSL::X509::Certificate.new cert_der
+          keyfob[client]=OpenSSL::PKey::RSA.new cert.public_key
+        end
+      rescue Exception => node_error
+        puts("WARNING: Caught exception: #{node_error.message} while processing #{client}, so skipping...")
+      end
+    end
+    
+    # Get the public keys for the admin users, skipping users already in the data bag
+    public_keys << admins.split(",").map do |user|
+      begin
+        if current_dbi_keys[user]
+          puts("INFO: Skipping #{user} as it is already in the data bag")
+        else
+          puts("INFO: Adding #{user} to public_key array...")
+          public_key = api.get("users/#{user}")['public_key']
+          keyfob[user] = OpenSSL::PKey::RSA.new public_key
+        end
+      rescue Exception => user_error
+        puts("WARNING: Caught exception: #{user_error.message} while processing #{user}, so skipping...")
+      end
+    end
+
+    if public_keys.length == 0
+      puts "A node search for #{node_search} returned no results" 
+      exit 1
+    end
+
+    # Get the current secret, is nil if current secret does not exist yet
+    current_secret = get_shared_secret(data_bag, name)
+    data_bag_shared_key = current_secret ? current_secret : OpenSSL::PKey::RSA.new(245).to_pem.lines.to_a[1..-2].join
+    enc_db_key_dbi = current_dbi_keys.empty? ? Mash.new({id: "#{name}_keys"}) : current_dbi_keys
+
+    # Encrypt for every new node not already in the data bag
+    keyfob.each do |node,pkey|
+      puts("INFO: Encrypting for #{node}...")
+      enc_db_key_dbi[node] = Base64.encode64(pkey.public_encrypt(data_bag_shared_key))
+    end unless keyfob.empty?
+
+    # Delete existing keys data bag and rewrite the whole bag from memory
+    puts("INFO: Writing #{data_bag_path}/#{name}_keys.json...")
+    File.delete("#{data_bag_path}/#{name}_keys.json") if File.exists?("#{data_bag_path}/#{name}_keys.json")
+    File.open("#{data_bag_path}/#{name}_keys.json",'w').write(JSON.pretty_generate(enc_db_key_dbi))
+
+    # If the existing certificate bag does not exist, write it out with the correct certificate
+    # Otherwise leave the existing bag alone
+    if current_dbi.empty?
+      dbi_mash = Mash.new({id: name, contents: contents})
+      dbi_mash.merge!({password: config[:password]}) if config[:password]
+      dbi = Chef::DataBagItem.from_hash(dbi_mash)
+      edbi = Chef::EncryptedDataBagItem.encrypt_data_bag_item(dbi, data_bag_shared_key)
+
+      puts("INFO: Writing #{data_bag_path}/#{name}.json...")
+      open("#{data_bag_path}/#{name}.json",'w').write(JSON.pretty_generate(edbi))
+    end
+
+    puts("INFO: Successfully wrote #{data_bag_path}/#{name}.json & #{data_bag_path}/#{name}_keys.json!")
+  end
+
+  def equal?(db, dbi, key, value)
+    data_bag_path = "./data_bags/#{db}"
+
+    shared_secret = get_shared_secret(db, dbi)
+    dbi = JSON.parse(open("#{data_bag_path}/#{dbi}.json").read())
+    dbi = Chef::EncryptedDataBagItem.new dbi, shared_secret
+
+    dbi[key] == value
+  end
+
+  def get_shared_secret(db, dbi)
+    data_bag_path = "./data_bags/#{db}"
+
+    private_key = OpenSSL::PKey::RSA.new(open(Chef::Config[:client_key]).read())
+    key = File.exists?("#{data_bag_path}/#{dbi}_keys.json") ? JSON.parse(open("#{data_bag_path}/#{dbi}_keys.json").read()) : nil
+    
+    begin      
+      private_key.private_decrypt(Base64.decode64(key[Chef::Config[:node_name]]))
+    rescue
+      nil
+    end
+  end
+end

data/lib/chef/knife/EncryptPassword.rb

@@ -0,0 +1,161 @@
+require 'chef/knife'
+
+class EncryptPassword < Chef::Knife
+  deps do
+    require 'chef/search/query'
+    require 'chef/shef/ext'
+  end
+
+  banner "knife encrypt password --search SEARCH --username USERNAME --password PASSWORD --admins ADMINS"
+
+  option :search,
+    :short => '-S SEARCH',
+    :long => '--search SEARCH',
+    :description => 'node search for nodes to encrypt for' 
+
+  option :username,
+    :short => '-U USERNAME',
+    :long => '--username USERNAME',
+    :description => 'username of account to encrypt' 
+
+  option :password,
+    :short => '-P PASSWORD',
+    :long => '--password PASSWORD',
+    :description => 'password of account to encrypt'
+
+  option :admins,
+    :short => '-A ADMINS',
+    :long => '--admins ADMINS',
+    :description => 'administrators who can decrypt password'
+
+  def run
+    unless config[:search]
+      puts("You must supply either -S or --search")
+      exit 1
+    end
+    unless config[:username]
+      puts("You must supply either -U or --username")
+      exit 1
+    end
+    unless config[:password]
+      puts("You must supply either -P or --password")
+      exit 1
+    end
+    unless config[:admins]
+      puts("You must supply either -A or --admins")
+      exit 1
+    end
+    Shef::Extensions.extend_context_object(self)
+
+    data_bag = "passwords"
+    data_bag_path = "./data_bags/#{data_bag}"
+
+    node_search = config[:search]
+    admins = config[:admins]
+    username = config[:username]
+    password = config[:password]
+    current_dbi = Hash.new
+    current_dbi_keys = Hash.new
+    if File.exists?("#{data_bag_path}/#{username}_keys.json") && File.exists?("#{data_bag_path}/#{username}.json")
+      current_dbi_keys = JSON.parse(open("#{data_bag_path}/#{username}_keys.json").read())
+      current_dbi = JSON.parse(open("#{data_bag_path}/#{username}.json").read())
+
+      unless equal?(data_bag, username, "password", password)
+        puts("FATAL: Password in #{data_bag_path}/#{username}.json does not match password supplied!")
+        exit 1
+      end
+    else
+      puts("INFO: Existing data bag #{data_bag}/#{username} does not exist in #{data_bag_path}, continuing as fresh build...")
+    end
+
+    # Get the public keys for all of the nodes to encrypt for.  Skipping the nodes that are already in
+    # the data bag
+    keyfob = Hash.new
+    public_keys = search(:node, node_search).map(&:name).map do |client|
+      begin
+        if current_dbi_keys[client]
+          puts("INFO: Skipping #{client} as it is already in the data bag...")
+        else
+          puts("INFO: Adding #{client} to public_key array...")
+          cert_der = api.get("clients/#{client}")['certificate']
+          cert = OpenSSL::X509::Certificate.new cert_der
+          keyfob[client]=OpenSSL::PKey::RSA.new cert.public_key
+        end
+      rescue Exception => node_error
+        puts("WARNING: Caught exception: #{node_error.message} while processing #{client}, so skipping...")
+      end
+    end
+    
+    # Get the public keys for the admin users, skipping users already in the data bag
+    public_keys << admins.split(",").map do |user|
+      begin
+        if current_dbi_keys[user]
+          puts("INFO: Skipping #{user} as it is already in the data bag")
+        else
+          puts("INFO: Adding #{user} to public_key array...")
+          public_key = api.get("users/#{user}")['public_key']
+          keyfob[user] = OpenSSL::PKey::RSA.new public_key
+        end
+      rescue Exception => user_error
+        puts("WARNING: Caught exception: #{user_error.message} while processing #{user}, so skipping...")
+      end
+    end
+
+    if public_keys.length == 0
+      puts "A node search for #{node_search} returned no results" 
+      exit 1
+    end
+
+    # Get the current secret, is nil if current secret does not exist yet
+    current_secret = get_shared_secret(data_bag, username)
+    data_bag_shared_key = current_secret ? current_secret : OpenSSL::PKey::RSA.new(245).to_pem.lines.to_a[1..-2].join
+    enc_db_key_dbi = current_dbi_keys.empty? ? Mash.new({id: "#{username}_keys"}) : current_dbi_keys
+
+    # Encrypt for every new node not already in the data bag
+    keyfob.each do |node,pkey|
+      puts("INFO: Encrypting for #{node}...")
+      enc_db_key_dbi[node] = Base64.encode64(pkey.public_encrypt(data_bag_shared_key))
+    end unless keyfob.empty?
+
+    # Delete existing keys data bag and rewrite the whole bag from memory
+    puts("INFO: Writing #{data_bag_path}/#{username}_keys.json...")
+    File.delete("#{data_bag_path}/#{username}_keys.json") if File.exists?("#{data_bag_path}/#{username}_keys.json")
+    File.open("#{data_bag_path}/#{username}_keys.json",'w').write(JSON.pretty_generate(enc_db_key_dbi))
+
+    # If the existing password bag does not exist, write it out with the correct password
+    # Otherwise leave the existing bag alone
+    if current_dbi.empty?
+      dbi_mash = Mash.new({id: username, username: username, password: password})
+      dbi = Chef::DataBagItem.from_hash(dbi_mash)
+      edbi = Chef::EncryptedDataBagItem.encrypt_data_bag_item(dbi, data_bag_shared_key)
+
+      puts("INFO: Writing #{data_bag_path}/#{username}.json...")
+      open("#{data_bag_path}/#{username}.json",'w').write(JSON.pretty_generate(edbi))
+    end
+
+    puts("INFO: Successfully wrote #{data_bag_path}/#{username}.json & #{data_bag_path}/#{username}_keys.json!")
+  end
+
+  def equal?(db, dbi, key, value)
+    data_bag_path = "./data_bags/#{db}"
+
+    shared_secret = get_shared_secret(db, dbi)
+    dbi = JSON.parse(open("#{data_bag_path}/#{dbi}.json").read())
+    dbi = Chef::EncryptedDataBagItem.new dbi, shared_secret
+
+    dbi[key] == value
+  end
+
+  def get_shared_secret(db, dbi)
+    data_bag_path = "./data_bags/#{db}"
+
+    private_key = OpenSSL::PKey::RSA.new(open(Chef::Config[:client_key]).read())
+    key = File.exists?("#{data_bag_path}/#{dbi}_keys.json") ? JSON.parse(open("#{data_bag_path}/#{dbi}_keys.json").read()) : nil
+    
+    begin      
+      private_key.private_decrypt(Base64.decode64(key[Chef::Config[:node_name]]))
+    rescue
+      nil
+    end
+  end
+end

metadata

@@ -0,0 +1,72 @@
+--- !ruby/object:Gem::Specification
+name: chef-vault
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+  prerelease: 
+platform: ruby
+authors:
+- Kevin Moser
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-04-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: chef
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.10.10
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.10.10
+description: Data encryption support for chef using data bags
+email:
+- kevin.moser@nordstrom.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- README.rdoc
+- chef-vault.gemspec
+- lib/chef-vault.rb
+- lib/chef-vault/certificate.rb
+- lib/chef-vault/user.rb
+- lib/chef-vault/version.rb
+- lib/chef/knife/DecryptCert.rb
+- lib/chef/knife/DecryptPassword.rb
+- lib/chef/knife/EncryptCert.rb
+- lib/chef/knife/EncryptPassword.rb
+homepage: 
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Data encryption support for chef using data bags
+test_files: []