hiera-eyaml-gpg 0.1 → 0.2
Sign up to get free protection for your applications and to get access to all the features.
data/README.md
CHANGED
|
@@ -14,3 +14,59 @@ keys. This means that each team member can hold their own private key and so can
|
|
|
14
14
|
Equally, each puppet master can have their own key if desired and when you need to rotate
|
|
15
15
|
keys for either users or puppet masters, re-encrypting your files and changing the key everywhere
|
|
16
16
|
does not need to be done in lockstep.
|
|
17
|
+
|
|
18
|
+
Requirements
|
|
19
|
+
------------
|
|
20
|
+
|
|
21
|
+
You'll need a working GPG setup with your own keypair and a public keyring containing any other
|
|
22
|
+
keys that you want to work
|
|
23
|
+
|
|
24
|
+
To get started, install the hiera-eyaml-gpg gem.
|
|
25
|
+
|
|
26
|
+
$ gem install hiera-eyaml-gpg
|
|
27
|
+
|
|
28
|
+
If you haven't already installed it, this requires and will install the hiera-eyaml gem, which you
|
|
29
|
+
should probably acquint yourself with at https://github.com/TomPoulton/hiera-eyaml.
|
|
30
|
+
|
|
31
|
+
Note that in order to install the gpgme gem you'll need to have the ruby development package installed
|
|
32
|
+
for your distribution.
|
|
33
|
+
|
|
34
|
+
How to use
|
|
35
|
+
----------
|
|
36
|
+
|
|
37
|
+
### Encrypting and editing encrypted data
|
|
38
|
+
|
|
39
|
+
Once installed you can create encrypted hiera-eyaml blocks that are encrypted using GPG.
|
|
40
|
+
|
|
41
|
+
$ eyaml -n gpg -e -s "A secret string to encrypt" --gpg-recipients bob@example.com,hiera@example.com
|
|
42
|
+
|
|
43
|
+
If you do not have a web of trust (i.e. you normally use --always-trust for gpg signing) then you'll need
|
|
44
|
+
to use the `--gpg-always-trust` option on the command line.
|
|
45
|
+
|
|
46
|
+
It gets pretty dull to keep on remembering which recipients you should use, so you can put them in a file
|
|
47
|
+
and specify that instead.
|
|
48
|
+
|
|
49
|
+
$ eyaml -n gpg -e -s "A secret string to encrypt" --gpg-recipients-file hiera-eyaml-gpg.recipients
|
|
50
|
+
|
|
51
|
+
In fact, when editing a file on disk and neither of the --gpg-recipient options are provided it will
|
|
52
|
+
automatically look for a `hiera-eyaml-gpg.recipients` file in the same directory as the file being edited
|
|
53
|
+
(or any parent in the tree). The first file discovered will be used allowing different parts of a hiera
|
|
54
|
+
tree to have different recipients if so desired.
|
|
55
|
+
|
|
56
|
+
Use `eyaml --help` for more details or look at the hiera-eyaml docs.
|
|
57
|
+
|
|
58
|
+
### Configuring hiera
|
|
59
|
+
|
|
60
|
+
Assuming you have a working `hiera` and `hiera-eyaml` then the only option you need to add is to
|
|
61
|
+
configure `:gpg_gnupghome:` in your hiera.yaml (under the `:eyaml:` section). This should be the
|
|
62
|
+
directory that contains the keyring etc for the user that can to decrypt the hiera data. Please note
|
|
63
|
+
that the private GPG key must not have a passphrase.
|
|
64
|
+
|
|
65
|
+
Authors
|
|
66
|
+
-------
|
|
67
|
+
|
|
68
|
+
- Simon Hildrew - Initial code
|
|
69
|
+
- Geoff Meakins - Created hiera-eyaml plugin framework that made this possible
|
|
70
|
+
|
|
71
|
+
### Contributors
|
|
72
|
+
- Walt Javins - Bug fixes
|
|
@@ -27,10 +27,18 @@ class Hiera
|
|
|
27
27
|
:type => :string }
|
|
28
28
|
}
|
|
29
29
|
|
|
30
|
+
@@passphrase_cache = Hash.new
|
|
31
|
+
|
|
30
32
|
def self.passfunc(hook, uid_hint, passphrase_info, prev_was_bad, fd)
|
|
31
33
|
begin
|
|
32
34
|
system('stty -echo')
|
|
33
|
-
|
|
35
|
+
|
|
36
|
+
unless @@passphrase_cache.has_key?(uid_hint)
|
|
37
|
+
@@passphrase_cache[uid_hint] = ask("Enter passphrase for #{uid_hint}: ") { |q| q.echo = '' }
|
|
38
|
+
$stderr.puts
|
|
39
|
+
end
|
|
40
|
+
passphrase = @@passphrase_cache[uid_hint]
|
|
41
|
+
|
|
34
42
|
io = IO.for_fd(fd, 'w')
|
|
35
43
|
io.puts(passphrase)
|
|
36
44
|
io.flush
|
|
@@ -38,7 +46,6 @@ class Hiera
|
|
|
38
46
|
(0 ... $_.length).each do |i| $_[i] = ?0 end if $_
|
|
39
47
|
system('stty echo')
|
|
40
48
|
end
|
|
41
|
-
$stderr.puts
|
|
42
49
|
end
|
|
43
50
|
|
|
44
51
|
def self.find_recipients
|
|
@@ -52,7 +59,7 @@ class Hiera
|
|
|
52
59
|
debug("Using --recipients-file option")
|
|
53
60
|
Pathname.new(recipient_file_option)
|
|
54
61
|
else
|
|
55
|
-
debug("Searching for any hiera-eyaml-gpg.
|
|
62
|
+
debug("Searching for any hiera-eyaml-gpg.recipients files in path")
|
|
56
63
|
# if we are editing a file, look for a hiera-eyaml-gpg.recipients file
|
|
57
64
|
filename = case Eyaml::Options[:source]
|
|
58
65
|
when :file
|
|
@@ -146,6 +153,7 @@ class Hiera
|
|
|
146
153
|
txt.read
|
|
147
154
|
else
|
|
148
155
|
warn("No usable keys found in #{ENV['GNUPGHOME']}. Check :gpgpghome value in hiera.yaml is correct")
|
|
156
|
+
raise ArgumentError, "No usable keys found in #{ENV['GNUPGHOME']}. Check :gpgpghome value in hiera.yaml is correct"
|
|
149
157
|
end
|
|
150
158
|
end
|
|
151
159
|
|
|
@@ -158,4 +166,4 @@ class Hiera
|
|
|
158
166
|
end
|
|
159
167
|
end
|
|
160
168
|
end
|
|
161
|
-
end
|
|
169
|
+
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hiera-eyaml-gpg
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: '0.
|
|
4
|
+
version: '0.2'
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2013-
|
|
12
|
+
date: 2013-11-07 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: hiera-eyaml
|