diff options
| author | Chris St. Pierre <chris.a.st.pierre@gmail.com> | 2013-01-17 09:20:37 -0500 |
|---|---|---|
| committer | Chris St. Pierre <chris.a.st.pierre@gmail.com> | 2013-01-17 09:20:37 -0500 |
| commit | ae58c24f72a8ed72327fbc3f7305bd69ec6a13db (patch) | |
| tree | e8614b54239161156d76424251cfc868643488a0 /doc | |
| parent | 873a373c7eda0ba523ea8b78c3c45d7e8f189628 (diff) | |
| download | bcfg2-ae58c24f72a8ed72327fbc3f7305bd69ec6a13db.tar.gz bcfg2-ae58c24f72a8ed72327fbc3f7305bd69ec6a13db.tar.bz2 bcfg2-ae58c24f72a8ed72327fbc3f7305bd69ec6a13db.zip | |
Made a few encryption things simpler:
* Only one strict/lax setting, in [encryption], rather than separate
settings in [properties] and [sshkeys]
* No longer necessary to enable encryption on each Properties file
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/server/encryption.txt | 20 | ||||
| -rw-r--r-- | doc/server/plugins/connectors/properties.txt | 5 | ||||
| -rw-r--r-- | doc/server/plugins/generators/cfg.txt | 6 |
3 files changed, 25 insertions, 6 deletions
diff --git a/doc/server/encryption.txt b/doc/server/encryption.txt index bc18e140c..e84b9fb31 100644 --- a/doc/server/encryption.txt +++ b/doc/server/encryption.txt @@ -203,6 +203,26 @@ get a list of valid algorithms, you can run:: openssl list-cipher-algorithms | grep -v ' => ' | \ tr 'A-Z-' 'a-z_' | sort -u +Lax vs. Strict decryption +------------------------- + +By default, Bcfg2 expects to be able to decrypt every encrypted +datum. Depending on how encryption is implemented at your site, +though, that may not be possible. (For instance, if you use +encryption to protect data for your production environment from your +staging Bcfg2 server, then you would not expect the staging server to +be able to decrypt everything.) In this case, you want to enable lax +decryption in the ``[encryption]`` section of ``bcfg2.conf``: + + [encryption] + decrypt = lax + +This causes a failed decrypt to produce a warning only, not an error. + +This can be overridden by individual XML files by setting +``decrypt="strict"`` on the top-level tag (or, vice-versa; if strict +is the default an XML file can specify ``decrypt="lax"``. + Encryption API ============== diff --git a/doc/server/plugins/connectors/properties.txt b/doc/server/plugins/connectors/properties.txt index 1d276697a..da511736d 100644 --- a/doc/server/plugins/connectors/properties.txt +++ b/doc/server/plugins/connectors/properties.txt @@ -290,9 +290,8 @@ decrypted, parsing of the file is aborted. If you wish for parsing to continue, with unencryptable elements simply skipped, then you can set decryption to *lax* in one of two ways: -* Set ``decrypt=lax`` in the ``[properties]`` section of - ``bcfg2.conf`` to set lax decryption on all Properties files by - default; or +* Set ``decrypt=lax`` in the ``[encryption]`` section of + ``bcfg2.conf`` to set lax decryption on all files by default; or * Set the ``decrypt="lax"`` attribute on the top-level ``Properties`` tag of a Properties file to set lax decryption for a single file. diff --git a/doc/server/plugins/generators/cfg.txt b/doc/server/plugins/generators/cfg.txt index dcaeef4f8..e843b1d2d 100644 --- a/doc/server/plugins/generators/cfg.txt +++ b/doc/server/plugins/generators/cfg.txt @@ -411,6 +411,9 @@ structured as follows: .. xml:element:: PrivateKey :linktotype: +See :ref:`server-encryption` for more details on encryption in Bcfg2 +in general. + ``pubkey.xml`` ~~~~~~~~~~~~~~~ @@ -579,9 +582,6 @@ influenced by several options in the ``[sshkeys]`` section of | | It is best to pick a category that all clients have a | | | | | group from. | | | +----------------+---------------------------------------------------------+-----------------------+------------+ -| ``decrypt`` | If decrypt is set to ``lax``, then a key that cannot be | ``strict`` or ``lax`` | ``strict`` | -| | decrypted will produce a warning instead of an error. | | | -+----------------+---------------------------------------------------------+-----------------------+------------+ Deltas ====== |