diff options
| author | Chris St. Pierre <chris.a.st.pierre@gmail.com> | 2012-05-15 13:24:58 -0400 |
|---|---|---|
| committer | Chris St. Pierre <chris.a.st.pierre@gmail.com> | 2012-05-15 13:24:58 -0400 |
| commit | d221337beaaafd7ce71717da64e4c9d91babd712 (patch) | |
| tree | fb8cba5caf9e8e42f71c523707fffcf5cbcb22ff /doc | |
| parent | 4df3945eeecb31e3234e894202868a373c95e3aa (diff) | |
| download | bcfg2-d221337beaaafd7ce71717da64e4c9d91babd712.tar.gz bcfg2-d221337beaaafd7ce71717da64e4c9d91babd712.tar.bz2 bcfg2-d221337beaaafd7ce71717da64e4c9d91babd712.zip | |
Added ability to store Cfg files with AES encryption
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/server/plugins/generators/cfg.txt | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/doc/server/plugins/generators/cfg.txt b/doc/server/plugins/generators/cfg.txt index 031c9e3fc..54dbe3a39 100644 --- a/doc/server/plugins/generators/cfg.txt +++ b/doc/server/plugins/generators/cfg.txt @@ -139,6 +139,81 @@ using different host-specific or group-specific files. For example: Cfg/etc/fstab/fstab.H_host.example.com.genshi Cfg/etc/fstab/fstab.G50_server.cheetah +Encrypted Files +=============== + +.. versionadded:: 1.3.0 + +Bcfg2 allows you to encrypt files stored in ``Cfg/`` to protect the +data in them from other people who need access to the repository. + +.. note:: + + This feature is *not* intended to secure the files against a + malicious attacker who has gained access to your Bcfg2 server, as + the encryption passphrases are held in plaintext in + ``bcfg2.conf``. This is only intended to make it easier to use a + single Bcfg2 repository with multiple admins who should not + necessarily have access to each other's sensitive data. + +Encrypting Files +---------------- + +An encrypted file should end with ``.crypt``, e.g.:: + + Cfg/etc/foo.conf + Cfg/etc/foo.conf/foo.conf.crypt + +To encrypt a file, you can run:: + + openssl enc -aes-256-cbc -k <passphrase> -in foo.conf -out foo.conf.crypt -a + +Once you are satisfied that the file has been encrypted as you wish, +you can remove the plaintext version. + +To decrypt a file, you can run:: + + + +.. note:: + + It is not currently possible to encrypt Genshi or Cheetah + templates. + +Configuring Encryption +---------------------- + +To configure encryption, add a ``[cfg:encryption]`` section to +``bcfg2.conf`` with any number of name-passphrase pairs. When +decrypting a file, _all_ passphrases will be tried; the passphrase +name is currently purely cosmetic, but at some point in the future the +ability to give Bcfg2 a "hint" about which passphrase to use will be +added. + +For instance:: + + [cfg:encryption] + foo_team=P4ssphr4se + bar_team=Pa55phra5e + +This would define two separate encryption passphrases, presumably for +use by two separate teams. The passphrase names are completely +arbitrary. + +Note that this does entail a chicken-and-egg problem. In order for +the Bcfg2 server to be able to decrypt encrypted files, the +passphrases must exist in ``bcfg2.conf`` in plaintext; but, if you're +encrypting data, presumably you don't want to include those plaintext +passphrases in your Bcfg2 repository, so you'll want to encrypt +``bcfg2.conf``. The best way to solve this is: + +#. On your Bcfg2 server, manually add the ``[cfg:encryption]`` section + to ``bcfg2.conf`` and restart the Bcfg2 server. +#. Update ``bcfg2.conf`` in your Bcfg2 repository with the + passphrases, and encrypt it. + +The first (manual) step breaks the mutual dependency. + Deltas ====== |