Introducing cf-secret – Secret encryption in CFEngine

Posted by:

30 May 2020

Contributor and CFEngine Champion, Jon Henrik Bjørnstad, developed a tool for encrypting files using CFEngine host keys, called cf-keycrypt. Thank you to Jon Henrik and all of our contributors for helping improve the CFEngine project.

Our developer, Vratislav Podzimek, recently took some time to review the cf-keycrypt code, and made many improvements and fixes. The most notable changes were:

  • Switched to hybrid encryption (payload is encrypted with randomly generated AES key, AES key is encrypted with RSA key).
  • Added file format, with HTTP-like headers for metadata
  • Files can be encrypted for multiple hosts (host keys)
  • Name changed to cf-secret

cf-secret is now merged and will be a part of the upcoming 3.16 release.

Encrypting a file

Use the encrypt command to encrypt a file:

$ echo "Hello, secret!" > message
$ cf-secret encrypt -H -o message.secret message

You can also specify a comma separated list of IPs, host names, or host keys to the -H option to encrypt for multiple hosts. cf-secret uses the local cf_lastseen.lmdb database to find the corresponding host key for a given IP or host name, and then loads the RSA public key for that host from the ppkeys directory.

Showing cf-secret metadata

The print-headers command can be used to show metadata about an encrypted file:

$ cf-secret print-headers message.secret
Version: 1.0
Encrypted-for: SHA=08582c4100dfda8db6a4bd7e28d1de4bdac0f5303dc192b51e672c06f4ea2fb1

Decrypting files

Finally, the decrypt command can restore the original message:

$ cf-secret decrypt message.secret -o message.decrypted
$ cat message.decrypted
Hello, secret!

(Must be run on the host that the file was encrypted for).


Watch the video below to see cf-secret in action:



If you have any features, ideas, or suggestions for how to expand secret management in CFEngine, feel free to contact us through one of these channels:

Ole Herman Elgesem

CFEngine Product Manager