Commit 5ec08903 authored by Geoff Meakin's avatar Geoff Meakin

Add first gem, make encrypt_value a binary, and make a keys dir

parent d9264cf5
.idea
*.iml
*.gradle
keys/*.pem
pkg/*/lib
......@@ -40,6 +40,10 @@ N.B. when using the multi-line string syntax (i.e. >) **don't wrap encrypted str
Setup
=====
### Installing hiera-eyaml
$ gem install hiera-eyaml
### Generate keys
The first step is to create a pair of keys on the Puppet master
......@@ -58,16 +62,6 @@ so I don’t see that as adding much in the way of security."
Change the permissions so that the private key is only readable by the user that hiera (puppet) is
running as.
### Install eYaml backend
I'm new to ruby and tight on deadlines so I will create a gem thing when I get a chance,
but for now just copy eyaml_backend.rb to the same directory as the existing backends e.g.
/usr/lib/ruby/site_ruby/1.8/hiera/backend
You can find the directory with:
$ sudo find / -name yaml_backend.rb
### Configure Hiera
Next configure hiera.yaml to use the eyaml backend
......@@ -93,20 +87,18 @@ Next configure hiera.yaml to use the eyaml backend
### Encrypt value
Copy public_key.pem created earlier to any machine where values will be encrypted and
use openssl to encrypt sensitive data.
Copy the public_key.pem created earlier to the keys subdirectory of this git repository.
There is a very basic helper file encrypt_value.rb which will do this for you. Just copy the
public key to the same directory as encrypt_value.rb (or vice versa), navigate to that
directory and run
There is a very basic helper file bin/encrypt_value.rb which will encrypt values for you
based on the public_key.pem. Run:
$ ruby encrypt_value.rb "my secret thing"
$ bin/encrypt_value.rb "my secret thing"
The encrypted value is printed to the command line
The encrypted value is printed to STDOUT
If you wish to rename your key or keep it in another directory run
$ ruby encrypt_value.rb "my secret thing" /path/to/key/my_key.pem
$ encrypt_value.rb "my secret thing" /path/to/key/my_key.pem
### Insert encrypted value
......
require 'rubygems'
require 'rake/gempackagetask'
spec = Gem::Specification.new do |gem|
gem.name = "hiera-eyaml"
gem.version = "1.0.0"
gem.summary = "OpenSSL Encryption backend for Hiera"
gem.email = "paultont@example.com"
gem.author = "Tom Paulton"
gem.homepage = "http://github.com/TomPaulton/hiera-eyaml"
gem.description = "Hiera backend for decrypting encrypted yaml properties"
gem.require_path = "lib"
gem.files = FileList["lib/**/*"].to_a
gem.add_dependency('hiera', '>=0.2.0')
end
Rake::GemPackageTask.new(spec) do |pkg|
pkg.need_tar = true
end
#!/usr/bin/env ruby
require 'openssl'
require 'base64'
# Run from this directory using: ruby encrypt_value.rb "value to encrypt"
public_key_path = './public_key.pem'
public_key_path = 'keys/public_key.pem'
plain_text = ARGV[0]
public_key_arg = ARGV[1]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment