Introducing cf-secret - Secret encryption in CFEngine

May 30, 2020

Contributor and CFEngine Champion, Jon Henrik Bjørnstad, developed a tool for encrypting files using CFEngine host keys, called cf-keycrypt. Thank you to Jon Henrik and all of our contributors for helping improve the CFEngine project. Our developer, Vratislav Podzimek, recently took some time to review the cf-keycrypt code, and made many improvements and fixes. The most notable changes were:

  • Switched to hybrid encryption (payload is encrypted with randomly generated AES key, AES key is encrypted with RSA key).
  • Added file format, with HTTP-like headers for metadata
  • Files can be encrypted for multiple hosts (host keys)
  • Name changed to cf-secret

cf-secret is now merged and will be a part of the upcoming 3.16 release.

Encrypting a file

Use the encrypt command to encrypt a file:

$ echo "Hello, secret!" > message
$ cf-secret encrypt -H -o message.secret message

You can also specify a comma separated list of IPs, host names, or host keys to the -H option to encrypt for multiple hosts. cf-secret uses the local cf_lastseen.lmdb database to find the corresponding host key for a given IP or host name, and then loads the RSA public key for that host from the ppkeys directory.

Showing cf-secret metadata

The print-headers command can be used to show metadata about an encrypted file:

$ cf-secret print-headers message.secret
Version: 1.0
Encrypted-for: SHA=08582c4100dfda8db6a4bd7e28d1de4bdac0f5303dc192b51e672c06f4ea2fb1

Decrypting files

Finally, the decrypt command can restore the original message:

$ cf-secret decrypt message.secret -o message.decrypted
$ cat message.decrypted
Hello, secret!

(Must be run on the host that the file was encrypted for).


Watch the video below to see cf-secret in action:


If you have any features, ideas, or suggestions for how to expand secret management in CFEngine, feel free to contact us through one of these channels:

Get in touch with us
to discuss how we can help!
Contact us
Sign up for
our newsletter
By signing up, you agree to your email address being stored and used to receive newsletters about CFEngine. We use tracking in our newsletter emails to improve our marketing content.