Contributor and CFEngine
Champion, Jon Henrik
Bjørnstad, developed a tool for
encrypting files using CFEngine host keys, called cf-keycrypt. Thank
you to Jon Henrik and all of our contributors for helping improve the
CFEngine project. Our developer, Vratislav
Podzimek, recently took some time to
review the cf-keycrypt code, and made many improvements and fixes. The
most notable changes were:
- Switched to hybrid encryption (payload is encrypted with randomly generated AES key, AES key is encrypted with RSA key).
- Added file format, with HTTP-like headers for metadata
- Files can be encrypted for multiple hosts (host keys)
- Name changed to
cf-secret
cf-secret is now merged and will be a part of the upcoming 3.16
release.
Encrypting a file
Use the encrypt command to encrypt a file:
$ echo "Hello, secret!" > message
$ cf-secret encrypt -H 172.31.38.30 -o message.secret message
You can also specify a comma separated list of IPs, host names, or host
keys to the -H option to encrypt for multiple hosts. cf-secret uses
the local cf_lastseen.lmdb database to find the corresponding host key
for a given IP or host name, and then loads the RSA public key for that
host from the ppkeys directory.
Showing cf-secret metadata
The print-headers command can be used to show metadata about an
encrypted file:
$ cf-secret print-headers message.secret
Version: 1.0
Encrypted-for: SHA=08582c4100dfda8db6a4bd7e28d1de4bdac0f5303dc192b51e672c06f4ea2fb1
Decrypting files
Finally, the decrypt command can restore the original message:
$ cf-secret decrypt message.secret -o message.decrypted
$ cat message.decrypted
Hello, secret!
(Must be run on the host that the file was encrypted for).
Video
Watch the video below to see cf-secret in action:
Feedback
If you have any features, ideas, or suggestions for how to expand secret management in CFEngine, feel free to contact us through one of these channels:
