Introducing cf-secret – Secret encryption in CFEngine
Posted by: Ole Herman Elgesem
Contributor and CFEngine Champion, Jon Henrik Bjørnstad, developed a tool for encrypting files using CFEngine host keys, called
cf-keycrypt. Thank you to Jon Henrik and all of our contributors for helping improve the CFEngine project.
Our developer, Vratislav Podzimek, recently took some time to review the cf-keycrypt code, and made many improvements and fixes. The most notable changes were:
- Switched to hybrid encryption (payload is encrypted with randomly generated AES key, AES key is encrypted with RSA key).
- Added file format, with HTTP-like headers for metadata
- Files can be encrypted for multiple hosts (host keys)
- Name changed to
cf-secret is now merged and will be a part of the upcoming 3.16 release.
Encrypting a file
Use the encrypt command to encrypt a file:
$ echo "Hello, secret!" > message $ cf-secret encrypt -H 172.31.38.30 -o message.secret message
You can also specify a comma separated list of IPs, host names, or host keys to the
-H option to encrypt for multiple hosts.
cf-secret uses the local
cf_lastseen.lmdb database to find the corresponding host key for a given IP or host name, and then loads the RSA public key for that host from the
Showing cf-secret metadata
print-headers command can be used to show metadata about an encrypted file:
$ cf-secret print-headers message.secret Version: 1.0 Encrypted-for: SHA=08582c4100dfda8db6a4bd7e28d1de4bdac0f5303dc192b51e672c06f4ea2fb1
decrypt command can restore the original message:
$ cf-secret decrypt message.secret -o message.decrypted $ cat message.decrypted Hello, secret!
(Must be run on the host that the file was encrypted for).
Watch the video below to see cf-secret in action:
If you have any features, ideas, or suggestions for how to expand secret management in CFEngine, feel free to contact us through one of these channels: