From ae58c24f72a8ed72327fbc3f7305bd69ec6a13db Mon Sep 17 00:00:00 2001 From: "Chris St. Pierre" Date: Thu, 17 Jan 2013 09:20:37 -0500 Subject: Made a few encryption things simpler: * Only one strict/lax setting, in [encryption], rather than separate settings in [properties] and [sshkeys] * No longer necessary to enable encryption on each Properties file --- doc/server/encryption.txt | 20 ++++++++++++++++++++ doc/server/plugins/connectors/properties.txt | 5 ++--- doc/server/plugins/generators/cfg.txt | 6 +++--- 3 files changed, 25 insertions(+), 6 deletions(-) (limited to 'doc') diff --git a/doc/server/encryption.txt b/doc/server/encryption.txt index bc18e140c..e84b9fb31 100644 --- a/doc/server/encryption.txt +++ b/doc/server/encryption.txt @@ -203,6 +203,26 @@ get a list of valid algorithms, you can run:: openssl list-cipher-algorithms | grep -v ' => ' | \ tr 'A-Z-' 'a-z_' | sort -u +Lax vs. Strict decryption +------------------------- + +By default, Bcfg2 expects to be able to decrypt every encrypted +datum. Depending on how encryption is implemented at your site, +though, that may not be possible. (For instance, if you use +encryption to protect data for your production environment from your +staging Bcfg2 server, then you would not expect the staging server to +be able to decrypt everything.) In this case, you want to enable lax +decryption in the ``[encryption]`` section of ``bcfg2.conf``: + + [encryption] + decrypt = lax + +This causes a failed decrypt to produce a warning only, not an error. + +This can be overridden by individual XML files by setting +``decrypt="strict"`` on the top-level tag (or, vice-versa; if strict +is the default an XML file can specify ``decrypt="lax"``. + Encryption API ============== diff --git a/doc/server/plugins/connectors/properties.txt b/doc/server/plugins/connectors/properties.txt index 1d276697a..da511736d 100644 --- a/doc/server/plugins/connectors/properties.txt +++ b/doc/server/plugins/connectors/properties.txt @@ -290,9 +290,8 @@ decrypted, parsing of the file is aborted. If you wish for parsing to continue, with unencryptable elements simply skipped, then you can set decryption to *lax* in one of two ways: -* Set ``decrypt=lax`` in the ``[properties]`` section of - ``bcfg2.conf`` to set lax decryption on all Properties files by - default; or +* Set ``decrypt=lax`` in the ``[encryption]`` section of + ``bcfg2.conf`` to set lax decryption on all files by default; or * Set the ``decrypt="lax"`` attribute on the top-level ``Properties`` tag of a Properties file to set lax decryption for a single file. diff --git a/doc/server/plugins/generators/cfg.txt b/doc/server/plugins/generators/cfg.txt index dcaeef4f8..e843b1d2d 100644 --- a/doc/server/plugins/generators/cfg.txt +++ b/doc/server/plugins/generators/cfg.txt @@ -411,6 +411,9 @@ structured as follows: .. xml:element:: PrivateKey :linktotype: +See :ref:`server-encryption` for more details on encryption in Bcfg2 +in general. + ``pubkey.xml`` ~~~~~~~~~~~~~~~ @@ -579,9 +582,6 @@ influenced by several options in the ``[sshkeys]`` section of | | It is best to pick a category that all clients have a | | | | | group from. | | | +----------------+---------------------------------------------------------+-----------------------+------------+ -| ``decrypt`` | If decrypt is set to ``lax``, then a key that cannot be | ``strict`` or ``lax`` | ``strict`` | -| | decrypted will produce a warning instead of an error. | | | -+----------------+---------------------------------------------------------+-----------------------+------------+ Deltas ====== -- cgit v1.2.3-1-g7c22