1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
.. vim: ft=rst
bcfg2-crypt
===========
.. program:: bcfg2-crypt
Synopsis
--------
**bcfg2-crypt** [-C *configfile*] [--decrypt|--encrypt]
[--cfg|--properties] [--stdout] [--remove] [--xpath *xpath*]
[-p *passphrase-or-name*] [-v] [-I] *filename* [*filename*...]
Description
-----------
:program:`bcfg2-crypt` performs encryption and decryption of Cfg and
Properties files. It's often sufficient to run :program:`bcfg2-crypt`
with only the name of the file you wish to encrypt or decrypt; it can
usually figure out what to do.
Options
-------
-C *configfile*
Specify alternate bcfg2.conf location.
--decrypt, --encrypt
Specify which operation you'd like to perform.
:program:`bcfg2-crypt` can usually determine which is necessary
based on the contents of each file.
--cfg
Tell :program:`bcfg2-crypt` that an XML file should be encrypted in
its entirety rather than element-by-element. This is only necessary
if the file is an XML file whose name ends with *.xml* and whose
top-level tag is *<Properties>*. See [MODES] below for details.
--properties
Tell :program:`bcfg2-crypt` to process a file as an XML Properties
file, and encrypt the text of each element separately. This is
necessary if, for example, you've used a different top-level tag
than *Properties* in your Properties files. See [MODES] below for
details.
--stdout
Print the resulting file to stdout instead of writing it to a file.
--remove
Remove the plaintext file after it has been encrypted. Only
meaningful for Cfg files.
--xpath *xpath*
Encrypt the character content of all elements that match the
specified XPath expression. The default is *\*[@encrypted]* or
*\**; see [MODES] below for more details. Only meaningful for
Properties files.
-p *passphrase*
Specify the name of a passphrase specified in the *[encryption]*
section of *bcfg2.conf*. See [SELECTING PASSPHRASE] below for more
details.
-v
Be verbose.
-I
When encrypting a Properties file, interactively select the elements
whose data should be encrypted.
-h
Display help and exit.
Modes
-----
:program:`bcfg2-crypt` can encrypt Cfg files or Properties files; they
are handled very differently.
Cfg
When :program:`bcfg2-crypt` is used on a Cfg file, the entire file
is encrypted. This is the default behavior on files that are not
XML, or that are XML but whose top-level tag is not *<Properties>*.
This can be enforced by use of the *--cfg* option.
Properties
When :program:`bcfg2-crypt` is used on a Properties file, it
encrypts the character content of elements matching the XPath
expression given by *--xpath*. By default the expression is
*\*[@encrypted]*, which matches all elements with an *encrypted*
attribute. If you are encrypting a file and that expression doesn't
match any elements, then the default is *\**, which matches
everything. When :program:`bcfg2-crypt` encrypts the character
content of an element, it also adds the *encrypted* attribute, set
to the name of the passphrase used to encrypt that element. When it
decrypts an element it does not remove *encrypted*, though; this
lets you easily and efficiently run :program:`bcfg2-crypt` against a
single Properties file to encrypt and decrypt it without needing to
specify a long list of options. See the online Bcfg2 docs on
Properties files for more information on how this works.
Selecting passphrase
--------------------
The passphrase used to encrypt or decrypt a file is discovered in the
following order.
#. The passphrase given on the command line using *-p* is used.
#. If exactly one passphrase is specified in *bcfg2.conf*, it will be
used.
#. If operating in Properties mode, *bcfg2.conf* will attempt to read
the name of the passphrase from the encrypted elements.
#. If decrypting, all passphrases will be tried sequentially.
#. If no passphrase has been determined at this point, an error is
produced and the file being encrypted or decrypted is skipped.
See Also
--------
:manpage:`bcfg2-server(8)`
|
