From d221337beaaafd7ce71717da64e4c9d91babd712 Mon Sep 17 00:00:00 2001 From: "Chris St. Pierre" Date: Tue, 15 May 2012 13:24:58 -0400 Subject: Added ability to store Cfg files with AES encryption --- doc/server/plugins/generators/cfg.txt | 75 +++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) (limited to 'doc') diff --git a/doc/server/plugins/generators/cfg.txt b/doc/server/plugins/generators/cfg.txt index 031c9e3fc..54dbe3a39 100644 --- a/doc/server/plugins/generators/cfg.txt +++ b/doc/server/plugins/generators/cfg.txt @@ -139,6 +139,81 @@ using different host-specific or group-specific files. For example: Cfg/etc/fstab/fstab.H_host.example.com.genshi Cfg/etc/fstab/fstab.G50_server.cheetah +Encrypted Files +=============== + +.. versionadded:: 1.3.0 + +Bcfg2 allows you to encrypt files stored in ``Cfg/`` to protect the +data in them from other people who need access to the repository. + +.. note:: + + This feature is *not* intended to secure the files against a + malicious attacker who has gained access to your Bcfg2 server, as + the encryption passphrases are held in plaintext in + ``bcfg2.conf``. This is only intended to make it easier to use a + single Bcfg2 repository with multiple admins who should not + necessarily have access to each other's sensitive data. + +Encrypting Files +---------------- + +An encrypted file should end with ``.crypt``, e.g.:: + + Cfg/etc/foo.conf + Cfg/etc/foo.conf/foo.conf.crypt + +To encrypt a file, you can run:: + + openssl enc -aes-256-cbc -k -in foo.conf -out foo.conf.crypt -a + +Once you are satisfied that the file has been encrypted as you wish, +you can remove the plaintext version. + +To decrypt a file, you can run:: + + + +.. note:: + + It is not currently possible to encrypt Genshi or Cheetah + templates. + +Configuring Encryption +---------------------- + +To configure encryption, add a ``[cfg:encryption]`` section to +``bcfg2.conf`` with any number of name-passphrase pairs. When +decrypting a file, _all_ passphrases will be tried; the passphrase +name is currently purely cosmetic, but at some point in the future the +ability to give Bcfg2 a "hint" about which passphrase to use will be +added. + +For instance:: + + [cfg:encryption] + foo_team=P4ssphr4se + bar_team=Pa55phra5e + +This would define two separate encryption passphrases, presumably for +use by two separate teams. The passphrase names are completely +arbitrary. + +Note that this does entail a chicken-and-egg problem. In order for +the Bcfg2 server to be able to decrypt encrypted files, the +passphrases must exist in ``bcfg2.conf`` in plaintext; but, if you're +encrypting data, presumably you don't want to include those plaintext +passphrases in your Bcfg2 repository, so you'll want to encrypt +``bcfg2.conf``. The best way to solve this is: + +#. On your Bcfg2 server, manually add the ``[cfg:encryption]`` section + to ``bcfg2.conf`` and restart the Bcfg2 server. +#. Update ``bcfg2.conf`` in your Bcfg2 repository with the + passphrases, and encrypt it. + +The first (manual) step breaks the mutual dependency. + Deltas ====== -- cgit v1.2.3-1-g7c22