Commit 5ec08903 authored by Geoff Meakin's avatar Geoff Meakin

Add first gem, make encrypt_value a binary, and make a keys dir

parent d9264cf5
.idea .idea
*.iml *.iml
*.gradle *.gradle
keys/*.pem
pkg/*/lib
...@@ -40,6 +40,10 @@ N.B. when using the multi-line string syntax (i.e. >) **don't wrap encrypted str ...@@ -40,6 +40,10 @@ N.B. when using the multi-line string syntax (i.e. >) **don't wrap encrypted str
Setup Setup
===== =====
### Installing hiera-eyaml
$ gem install hiera-eyaml
### Generate keys ### Generate keys
The first step is to create a pair of keys on the Puppet master The first step is to create a pair of keys on the Puppet master
...@@ -58,16 +62,6 @@ so I don’t see that as adding much in the way of security." ...@@ -58,16 +62,6 @@ so I don’t see that as adding much in the way of security."
Change the permissions so that the private key is only readable by the user that hiera (puppet) is Change the permissions so that the private key is only readable by the user that hiera (puppet) is
running as. running as.
### Install eYaml backend
I'm new to ruby and tight on deadlines so I will create a gem thing when I get a chance,
but for now just copy eyaml_backend.rb to the same directory as the existing backends e.g.
/usr/lib/ruby/site_ruby/1.8/hiera/backend
You can find the directory with:
$ sudo find / -name yaml_backend.rb
### Configure Hiera ### Configure Hiera
Next configure hiera.yaml to use the eyaml backend Next configure hiera.yaml to use the eyaml backend
...@@ -93,20 +87,18 @@ Next configure hiera.yaml to use the eyaml backend ...@@ -93,20 +87,18 @@ Next configure hiera.yaml to use the eyaml backend
### Encrypt value ### Encrypt value
Copy public_key.pem created earlier to any machine where values will be encrypted and Copy the public_key.pem created earlier to the keys subdirectory of this git repository.
use openssl to encrypt sensitive data.
There is a very basic helper file encrypt_value.rb which will do this for you. Just copy the There is a very basic helper file bin/encrypt_value.rb which will encrypt values for you
public key to the same directory as encrypt_value.rb (or vice versa), navigate to that based on the public_key.pem. Run:
directory and run
$ ruby encrypt_value.rb "my secret thing" $ bin/encrypt_value.rb "my secret thing"
The encrypted value is printed to the command line The encrypted value is printed to STDOUT
If you wish to rename your key or keep it in another directory run If you wish to rename your key or keep it in another directory run
$ ruby encrypt_value.rb "my secret thing" /path/to/key/my_key.pem $ encrypt_value.rb "my secret thing" /path/to/key/my_key.pem
### Insert encrypted value ### Insert encrypted value
......
require 'rubygems'
require 'rake/gempackagetask'
spec = Gem::Specification.new do |gem|
gem.name = "hiera-eyaml"
gem.version = "1.0.0"
gem.summary = "OpenSSL Encryption backend for Hiera"
gem.email = "paultont@example.com"
gem.author = "Tom Paulton"
gem.homepage = "http://github.com/TomPaulton/hiera-eyaml"
gem.description = "Hiera backend for decrypting encrypted yaml properties"
gem.require_path = "lib"
gem.files = FileList["lib/**/*"].to_a
gem.add_dependency('hiera', '>=0.2.0')
end
Rake::GemPackageTask.new(spec) do |pkg|
pkg.need_tar = true
end
#!/usr/bin/env ruby
require 'openssl' require 'openssl'
require 'base64' require 'base64'
# Run from this directory using: ruby encrypt_value.rb "value to encrypt" # Run from this directory using: ruby encrypt_value.rb "value to encrypt"
public_key_path = './public_key.pem' public_key_path = 'keys/public_key.pem'
plain_text = ARGV[0] plain_text = ARGV[0]
public_key_arg = ARGV[1] public_key_arg = ARGV[1]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment