summaryrefslogtreecommitdiffstats
path: root/tools/manpagegen/bcfg2-crypt.8.ronn
blob: 64077ec3b06f766f28b47b92f9211a4a03496871 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
bcfg2-crypt(8) -- Bcfg2 encryption and decryption utility
=========================================================

## SYNOPSIS

`bcfg2-crypt` [<-C configfile>] [--decrypt|--encrypt] [--cfg|--properties] [--stdout] [--remove] [--xpath <xpath>] [-p <passphrase-or-name>] [-v] [-I] <filename> [<filename>...]

## DESCRIPTION

`bcfg2-crypt` performs encryption and decryption of Cfg and Properties
files.  It's often sufficient to run `bcfg2-crypt` with only the name
of the file you wish to encrypt or decrypt; it can usually figure out
what to do.

## OPTIONS

  * `-C` <configfile>:
    Specify alternate bcfg2.conf location

  * `--decrypt`, `--encrypt`:
    Specify which operation you'd like to perform.  `bcfg2-crypt` can
    usually determine which is necessary based on the contents of each
    file.

  * `--cfg`:
    Tell `bcfg2-crypt` that an XML file should be encrypted in its
    entirety rather than element-by-element.  This is only necessary
    if the file is an XML file whose name ends with `.xml` and whose
    top-level tag is `<Properties>`.  See [MODES] below for details.

  * `--properties`:
    Tell `bcfg2-crypt` to process a file as an XML Properties file,
    and encrypt the text of each element separately.  This is
    necessary if, for example, you've used a different top-level tag
    than `<Properties>` in your Properties files.  See [MODES] below
    for details.

  * `--stdout`:
    Print the resulting file to stdout instead of writing it to a
    file.

  * `--remove`:
    Remove the plaintext file after it has been encrypted.  Only
    meaningful for Cfg files.

  * `--xpath <xpath>`:
    Encrypt the character content of all elements that match the
    specified XPath expression.  The default is `*[@encrypted]`
    or `*`; see [MODES] below for more details. Only meaningful for
    Properties files.

  * `-p <passphrase>`:
    Specify the name of a passphrase specified in the `[encryption]`
    section of `bcfg2.conf`.  See [SELECTING PASSPHRASE] below for
    more details.

  * `-v`:
    Be verbose.

  * `-I`:
    When encrypting a Properties file, interactively select the
    elements whose data should be encrypted.

  * `-h`:
    Display help and exit.

## MODES

`bcfg2-crypt` can encrypt Cfg files or Properties files; they are
handled very differently.

  * Cfg:
    When `bcfg2-crypt` is used on a Cfg file, the entire file is
    encrypted.  This is the default behavior on files that are not
    XML, or that are XML but whose top-level tag is not
    `<Properties>`.  This can be enforced by use of the `--cfg`
    option.

  * Properties:
    When `bcfg2-crypt` is used on a Properties file, it encrypts the
    character content of elements matching the XPath expression given
    by `--xpath`.  By default the expression is `*[@encrypted]`, which
    matches all elements with an `encrypted` attribute.  If you are
    encrypting a file and that expression doesn't match any elements,
    then the default is `*`, which matches everything.  When
    `bcfg2-crypt` encrypts the character content of an element, it
    also adds the `encrypted` attribute, set to the name of the
    passphrase used to encrypt that element.  When it decrypts an
    element it does not remove `encrypted`, though; this lets you
    easily and efficiently run `bcfg2-crypt` against a single
    Properties file to encrypt and decrypt it without needing to
    specify a long list of options.  See the online Bcfg2 docs on
    Properties files for more information on how this works.

## SELECTING PASSPHRASE

The passphrase used to encrypt or decrypt a file is discovered in the
following order:

  * First, the passphrase given on the command line using `-p` is
    used.

  * Next, if exactly one passphrase is specified in `bcfg2.conf`, it
    will be used.

  * Next, if operating in Properties mode, `bcfg2-crypt` will attempt
    to read the name of the passphrase from the encrypted elements.

  * Next, if decrypting, all passphrases will be tried sequentially.

  * If no passphrase has been determined at this point, an error is
    produced and the file being encrypted or decrypted is skipped.

## SEE ALSO

bcfg2-server(8)