hiera-eyaml-gpg 0.1 → 0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/README.md
CHANGED
|
@@ -14,3 +14,59 @@ keys. This means that each team member can hold their own private key and so can
|
|
|
14
14
|
Equally, each puppet master can have their own key if desired and when you need to rotate
|
|
15
15
|
keys for either users or puppet masters, re-encrypting your files and changing the key everywhere
|
|
16
16
|
does not need to be done in lockstep.
|
|
17
|
+
|
|
18
|
+
Requirements
|
|
19
|
+
------------
|
|
20
|
+
|
|
21
|
+
You'll need a working GPG setup with your own keypair and a public keyring containing any other
|
|
22
|
+
keys that you want to work
|
|
23
|
+
|
|
24
|
+
To get started, install the hiera-eyaml-gpg gem.
|
|
25
|
+
|
|
26
|
+
$ gem install hiera-eyaml-gpg
|
|
27
|
+
|
|
28
|
+
If you haven't already installed it, this requires and will install the hiera-eyaml gem, which you
|
|
29
|
+
should probably acquint yourself with at https://github.com/TomPoulton/hiera-eyaml.
|
|
30
|
+
|
|
31
|
+
Note that in order to install the gpgme gem you'll need to have the ruby development package installed
|
|
32
|
+
for your distribution.
|
|
33
|
+
|
|
34
|
+
How to use
|
|
35
|
+
----------
|
|
36
|
+
|
|
37
|
+
### Encrypting and editing encrypted data
|
|
38
|
+
|
|
39
|
+
Once installed you can create encrypted hiera-eyaml blocks that are encrypted using GPG.
|
|
40
|
+
|
|
41
|
+
$ eyaml -n gpg -e -s "A secret string to encrypt" --gpg-recipients bob@example.com,hiera@example.com
|
|
42
|
+
|
|
43
|
+
If you do not have a web of trust (i.e. you normally use --always-trust for gpg signing) then you'll need
|
|
44
|
+
to use the `--gpg-always-trust` option on the command line.
|
|
45
|
+
|
|
46
|
+
It gets pretty dull to keep on remembering which recipients you should use, so you can put them in a file
|
|
47
|
+
and specify that instead.
|
|
48
|
+
|
|
49
|
+
$ eyaml -n gpg -e -s "A secret string to encrypt" --gpg-recipients-file hiera-eyaml-gpg.recipients
|
|
50
|
+
|
|
51
|
+
In fact, when editing a file on disk and neither of the --gpg-recipient options are provided it will
|
|
52
|
+
automatically look for a `hiera-eyaml-gpg.recipients` file in the same directory as the file being edited
|
|
53
|
+
(or any parent in the tree). The first file discovered will be used allowing different parts of a hiera
|
|
54
|
+
tree to have different recipients if so desired.
|
|
55
|
+
|
|
56
|
+
Use `eyaml --help` for more details or look at the hiera-eyaml docs.
|
|
57
|
+
|
|
58
|
+
### Configuring hiera
|
|
59
|
+
|
|
60
|
+
Assuming you have a working `hiera` and `hiera-eyaml` then the only option you need to add is to
|
|
61
|
+
configure `:gpg_gnupghome:` in your hiera.yaml (under the `:eyaml:` section). This should be the
|
|
62
|
+
directory that contains the keyring etc for the user that can to decrypt the hiera data. Please note
|
|
63
|
+
that the private GPG key must not have a passphrase.
|
|
64
|
+
|
|
65
|
+
Authors
|
|
66
|
+
-------
|
|
67
|
+
|
|
68
|
+
- Simon Hildrew - Initial code
|
|
69
|
+
- Geoff Meakins - Created hiera-eyaml plugin framework that made this possible
|
|
70
|
+
|
|
71
|
+
### Contributors
|
|
72
|
+
- Walt Javins - Bug fixes
|
|
@@ -27,10 +27,18 @@ class Hiera
|
|
|
27
27
|
:type => :string }
|
|
28
28
|
}
|
|
29
29
|
|
|
30
|
+
@@passphrase_cache = Hash.new
|
|
31
|
+
|
|
30
32
|
def self.passfunc(hook, uid_hint, passphrase_info, prev_was_bad, fd)
|
|
31
33
|
begin
|
|
32
34
|
system('stty -echo')
|
|
33
|
-
|
|
35
|
+
|
|
36
|
+
unless @@passphrase_cache.has_key?(uid_hint)
|
|
37
|
+
@@passphrase_cache[uid_hint] = ask("Enter passphrase for #{uid_hint}: ") { |q| q.echo = '' }
|
|
38
|
+
$stderr.puts
|
|
39
|
+
end
|
|
40
|
+
passphrase = @@passphrase_cache[uid_hint]
|
|
41
|
+
|
|
34
42
|
io = IO.for_fd(fd, 'w')
|
|
35
43
|
io.puts(passphrase)
|
|
36
44
|
io.flush
|
|
@@ -38,7 +46,6 @@ class Hiera
|
|
|
38
46
|
(0 ... $_.length).each do |i| $_[i] = ?0 end if $_
|
|
39
47
|
system('stty echo')
|
|
40
48
|
end
|
|
41
|
-
$stderr.puts
|
|
42
49
|
end
|
|
43
50
|
|
|
44
51
|
def self.find_recipients
|
|
@@ -52,7 +59,7 @@ class Hiera
|
|
|
52
59
|
debug("Using --recipients-file option")
|
|
53
60
|
Pathname.new(recipient_file_option)
|
|
54
61
|
else
|
|
55
|
-
debug("Searching for any hiera-eyaml-gpg.
|
|
62
|
+
debug("Searching for any hiera-eyaml-gpg.recipients files in path")
|
|
56
63
|
# if we are editing a file, look for a hiera-eyaml-gpg.recipients file
|
|
57
64
|
filename = case Eyaml::Options[:source]
|
|
58
65
|
when :file
|
|
@@ -146,6 +153,7 @@ class Hiera
|
|
|
146
153
|
txt.read
|
|
147
154
|
else
|
|
148
155
|
warn("No usable keys found in #{ENV['GNUPGHOME']}. Check :gpgpghome value in hiera.yaml is correct")
|
|
156
|
+
raise ArgumentError, "No usable keys found in #{ENV['GNUPGHOME']}. Check :gpgpghome value in hiera.yaml is correct"
|
|
149
157
|
end
|
|
150
158
|
end
|
|
151
159
|
|
|
@@ -158,4 +166,4 @@ class Hiera
|
|
|
158
166
|
end
|
|
159
167
|
end
|
|
160
168
|
end
|
|
161
|
-
end
|
|
169
|
+
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hiera-eyaml-gpg
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: '0.
|
|
4
|
+
version: '0.2'
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2013-
|
|
12
|
+
date: 2013-11-07 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: hiera-eyaml
|