summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorChris St. Pierre <chris.a.st.pierre@gmail.com>2012-05-15 13:24:58 -0400
committerChris St. Pierre <chris.a.st.pierre@gmail.com>2012-05-15 13:24:58 -0400
commitd221337beaaafd7ce71717da64e4c9d91babd712 (patch)
treefb8cba5caf9e8e42f71c523707fffcf5cbcb22ff /doc
parent4df3945eeecb31e3234e894202868a373c95e3aa (diff)
downloadbcfg2-d221337beaaafd7ce71717da64e4c9d91babd712.tar.gz
bcfg2-d221337beaaafd7ce71717da64e4c9d91babd712.tar.bz2
bcfg2-d221337beaaafd7ce71717da64e4c9d91babd712.zip
Added ability to store Cfg files with AES encryption
Diffstat (limited to 'doc')
-rw-r--r--doc/server/plugins/generators/cfg.txt75
1 files changed, 75 insertions, 0 deletions
diff --git a/doc/server/plugins/generators/cfg.txt b/doc/server/plugins/generators/cfg.txt
index 031c9e3fc..54dbe3a39 100644
--- a/doc/server/plugins/generators/cfg.txt
+++ b/doc/server/plugins/generators/cfg.txt
@@ -139,6 +139,81 @@ using different host-specific or group-specific files. For example:
Cfg/etc/fstab/fstab.H_host.example.com.genshi
Cfg/etc/fstab/fstab.G50_server.cheetah
+Encrypted Files
+===============
+
+.. versionadded:: 1.3.0
+
+Bcfg2 allows you to encrypt files stored in ``Cfg/`` to protect the
+data in them from other people who need access to the repository.
+
+.. note::
+
+ This feature is *not* intended to secure the files against a
+ malicious attacker who has gained access to your Bcfg2 server, as
+ the encryption passphrases are held in plaintext in
+ ``bcfg2.conf``. This is only intended to make it easier to use a
+ single Bcfg2 repository with multiple admins who should not
+ necessarily have access to each other's sensitive data.
+
+Encrypting Files
+----------------
+
+An encrypted file should end with ``.crypt``, e.g.::
+
+ Cfg/etc/foo.conf
+ Cfg/etc/foo.conf/foo.conf.crypt
+
+To encrypt a file, you can run::
+
+ openssl enc -aes-256-cbc -k <passphrase> -in foo.conf -out foo.conf.crypt -a
+
+Once you are satisfied that the file has been encrypted as you wish,
+you can remove the plaintext version.
+
+To decrypt a file, you can run::
+
+
+
+.. note::
+
+ It is not currently possible to encrypt Genshi or Cheetah
+ templates.
+
+Configuring Encryption
+----------------------
+
+To configure encryption, add a ``[cfg:encryption]`` section to
+``bcfg2.conf`` with any number of name-passphrase pairs. When
+decrypting a file, _all_ passphrases will be tried; the passphrase
+name is currently purely cosmetic, but at some point in the future the
+ability to give Bcfg2 a "hint" about which passphrase to use will be
+added.
+
+For instance::
+
+ [cfg:encryption]
+ foo_team=P4ssphr4se
+ bar_team=Pa55phra5e
+
+This would define two separate encryption passphrases, presumably for
+use by two separate teams. The passphrase names are completely
+arbitrary.
+
+Note that this does entail a chicken-and-egg problem. In order for
+the Bcfg2 server to be able to decrypt encrypted files, the
+passphrases must exist in ``bcfg2.conf`` in plaintext; but, if you're
+encrypting data, presumably you don't want to include those plaintext
+passphrases in your Bcfg2 repository, so you'll want to encrypt
+``bcfg2.conf``. The best way to solve this is:
+
+#. On your Bcfg2 server, manually add the ``[cfg:encryption]`` section
+ to ``bcfg2.conf`` and restart the Bcfg2 server.
+#. Update ``bcfg2.conf`` in your Bcfg2 repository with the
+ passphrases, and encrypt it.
+
+The first (manual) step breaks the mutual dependency.
+
Deltas
======