1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
.. -*- mode: rst -*-
.. vim: ft=rst
bcfg2-crypt
===========
.. program:: bcfg2-crypt
Synopsis
--------
**bcfg2-crypt** [-C *configfile*] [--decrypt|--encrypt]
[--cfg|--properties] [--stdout] [--remove] [--xpath *xpath*]
[-p *passphrase-or-name*] [-v] [-I] *filename* [*filename*...]
Description
-----------
:program:`bcfg2-crypt` performs encryption and decryption of Cfg and
Properties files. It's often sufficient to run :program:`bcfg2-crypt`
with only the name of the file you wish to encrypt or decrypt; it can
usually figure out what to do.
Options
-------
-C configfile Specify alternate bcfg2.conf location.
--decrypt, --encrypt Select encryption or decryption mode for the
given file(s). This is usually unnecessary, as
:program:`bcfg2-crypt` can often determine which
is necessary based on the contents of each file.
--cfg An XML file should be encrypted in its entirety
rather than element-by-element. This is only
necessary if the file is an XML file whose name
ends with *.xml* and whose top-level tag is
*<Properties>*. See [MODES] below for details.
--properties Process a file as an XML Properties file, and
encrypt the text of each element
separately. This is necessary if, for example,
you've used a different top-level tag than
*Properties* in your Properties files. See
[MODES] below for details.
--stdout Print the resulting file to stdout instead of
writing it to a file.
--remove Remove the plaintext file after it has been
encrypted. Only meaningful for Cfg files.
--xpath xpath Encrypt the character content of all elements
that match the specified XPath expression. The
default is *\*[@encrypted]* or *\**; see [MODES]
below for more details. Only meaningful for
Properties files.
-p passphrase Specify the name of a passphrase specified in
the *[encryption]* section of *bcfg2.conf*. See
[SELECTING PASSPHRASE] below for more details.
-v Be verbose.
-I When encrypting a Properties file, interactively
select the elements whose data should be
encrypted.
-h Print usage information.
Modes
-----
:program:`bcfg2-crypt` can encrypt Cfg files or Properties files; they
are handled very differently.
Cfg
When :program:`bcfg2-crypt` is used on a Cfg file, the entire file
is encrypted. This is the default behavior on files that are not
XML, or that are XML but whose top-level tag is not *<Properties>*.
This can be enforced by use of the *--cfg* option.
Properties
When :program:`bcfg2-crypt` is used on a Properties file, it
encrypts the character content of elements matching the XPath
expression given by *--xpath*. By default the expression is
*\*[@encrypted]*, which matches all elements with an *encrypted*
attribute. If you are encrypting a file and that expression doesn't
match any elements, then the default is *\**, which matches
everything. When :program:`bcfg2-crypt` encrypts the character
content of an element, it also adds the *encrypted* attribute, set
to the name of the passphrase used to encrypt that element. When it
decrypts an element it does not remove *encrypted*, though; this
lets you easily and efficiently run :program:`bcfg2-crypt` against a
single Properties file to encrypt and decrypt it without needing to
specify a long list of options. See the online Bcfg2 docs on
Properties files for more information on how this works.
Selecting passphrase
--------------------
The passphrase used to encrypt or decrypt a file is discovered in the
following order.
#. The passphrase given on the command line using *-p* is used.
#. If exactly one passphrase is specified in *bcfg2.conf*, it will be
used.
#. If operating in Properties mode, *bcfg2.conf* will attempt to read
the name of the passphrase from the encrypted elements.
#. If decrypting, all passphrases will be tried sequentially.
#. If no passphrase has been determined at this point, an error is
produced and the file being encrypted or decrypted is skipped.
See Also
--------
:manpage:`bcfg2-server(8)`
|