Project

yaml_recrypt

0.0
No commit activity in last 3 years
No release in over 3 years
yaml_recryptgeoffwilliams/yaml_recryptHomepageDocumentationSource CodeBug TrackerWiki
Decrypt GPG encrypted yaml file keys and re-encrypt them using eyaml since GPG backend is EOLed (Puppet/Hiera)
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
16,843
Stars
0
Forks
0
Watchers
3
 Releases
Current version
0.1.8
Total releases
10
First release
2017-04-11
Latest release
2017-04-19
 Issues
Open Issues
0
Closed Issues
1
Total Issues
1
Issue Closure Rate
100%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2017-04-15
Reverse Dependencies
0

 Dependencies

Development

bundler
~> 1.14
rake
~> 10.0
rspec
~> 3.0

Runtime

escort
= 0.4.0
gpgme
= 2.0.12
 Project Readme

Build Status

YamlRecrypt

Handy small tool for parsing YAML files and finding the keys that are currently encrypted with hiera-eyaml-gpg(not to be confused with hiera-gpg which encrypts entire yaml fies). While hiera-eyaml-gpg is a cool idea, the complexities of GPG can negate some of its benefits in practice , so this tool was developed to allow conversion to regular eyaml.

Installation

Add this line to your application's Gemfile:

gem 'yaml_recrypt'

And then execute:

$ bundle

Or install it yourself as:

$ gem install yaml_recrypt

Usage

Re-encrypting your hiera data

At present, yaml_recrypt only offers one mode of operation which is to recursively process files in the current directory, decrypting any hiera-eyaml-gpg data and then re-encrypting it with plain hiera-eyaml.

To do this, yaml_recrypt needs:

  • Some data to decrypt
  • Your GPG PKI (directory of gpg keychains, etc - usually at ~/.gpg)
  • Your hiera-eyaml public key (usually at /etc/puppetlabs/puppet/keys)

yaml_recrypt should not be run inside the /etc/puppet* directory to avoid the risk of updating files which are currently in use. Ideally, data should be copied off the puppet server for re-encryption (eg a workstation - must be running Linux) as:

  • This prevents altering the gems installed on the production master
  • The conversion can be done in a safe and controlled environment
  • Files can be easilty deleted afterwards

A conversion workflow should look something like this:

  1. Obtain the existing hiera data (tar + scp on master or git checkout if your using version control)
  2. Obtain GPG keychain from master (need the entire directory described in the :gpg_gnupghome: key in hiera.yaml)
  3. Obtain the hiera-eyaml public key from the (new?) master
  4. Run the conversion:
yaml_recrypt convert --gpg-home gpghome/ --eyaml-pub-key keys/public_key.pkcs7.pem

Worked example:

cd /home/geoff/tmp/hieradata
yaml_recrypt convert --gpg-home /home/geoff/tmp/gpghome --eyaml-pub-key /home/geoff/tmp/keys/public_key.pkcs7.pem
  1. Check results and commit changed data back to git
  2. When happy with conversion results, don't forget to remove the old GPG keychain files from your system - it's a security risk, to leave they lying around

Cleaning up the .orig files

yaml_recrypt will create a .orig file for every file it changes "just in case" (TM). Once your happy everything worked correctly, the following command will delete them all from the current directory downwards:

find . -name '*.orig' -exec rm {} \;

Development and Contributing

There are a few additional things this codebase could be extended to cover if there's interest:

  • hiera-gpg (whole file encrypted) to hiera-eyaml
  • hiera-eyaml to hiera-eyaml-gpg
  • hiera-eyaml to ...something else
  • something else... to hiera-eyaml

Bug reports and pull requests are welcome on GitHub at https://github.com/GeoffWilliams/yaml_recrypt.

There are no plans to develop this software beyond its initial capabilities.

Acknowledgement

Contains adapted sourcecode from:

See the file LICENCE for licencing information (MIT)