cf-secret encrypts and decrypts files using CFEngine keys.

Files can be encrypted for one or more public keys. A matching private key is required for decryption.

Command reference

  --help        , -h       - Print the help message
  --manpage     , -M       - Print the man page
  --debug       , -d       - Enable debugging output
  --verbose     , -v       - Enable verbose output
  --log-level   , -g value - Specify how detailed logs should be. Possible values: 'error', 'warning', 'notice', 'info', 'verbose', 'debug'
  --inform      , -I       - Enable basic information output
  --key         , -k value - Comma-separated list of key files to use (one of -k/-H options is required for encryption)
  --host        , -H value - Comma-separated list of hosts to encrypt/decrypt for (defaults to 'localhost' for decryption)
  --output      , -o value - Output file (required)

Example encrypting and decrypting data

First, let's create a file that contains some content we want to encrypt.

> $ cf-secret --help > /tmp/

Next, let's encrypt the file for the public key used by the host. Run the following command to encrypt the file.

> $ sudo cf-secret encrypt /tmp/ \
                   --output /tmp/ \
                   --key /var/cfengine/ppkeys/

Then, inspect file. Note the file contains a header that indicates the key digest identifying the public key for which the file was encrypted.

> $ sudo cat /tmp/
Version: 1.0
Encrypted-for: SHA=0df59dfd5516a0a66aad933871036fa0ad909d251da682a41775d60db092f154

��?$䝒0 ��5w��x�y:�!�HQi.��W@�(�%�.M�▒
       $=��h��N��$����84t/����� ��      �vbb��ao��۠�'N�F줛ey,3��]��y�-n`�H��GϦٕ�LI��N�zH�拥��'1_�D��
s��3cۈ�jG+��4��H��<▒���9�}��9���!��.�Ai#=�����n����?�����C��?4�I"����R�V7"g��▒_����3��UqE��n▒�����h.��e'���D^CX��)S}����O���"���s�'�[ͽ 7�y��$,��5�!�S=0�<�N���8@K�����nK��ص-BJ2 n[�▒vS��(Y�2M�����|�a 7!�3P0��y9~N9�YLg���l�'d���vĖ�QsB��/�$
                                 ԩ�m����y�`�Q���F�gHO▒����,�u���:�m���$ ����H������v�4��Ͳ��6���u���7%(S�饓���@kb�ӯ�:.▒����Xʐ�d-�2�6s�&$�2t����t�M��Y��Q���*9
h1�qj<2W8O��:�T��7غ�ԥ�GN0�o�p&A=���[<����E��k����A�z]r����v�6ţ9�LH�x�&Z�֙ǖ� s@▒h!
�!Փ��?�4���85��AL��>[��/�y=�!��󺾇Hv�m������z�_��N;��W�����       ��#�i�&�G��̌���K��Z�u�

Finally, decrypt the file.

> $ sudo cf-secret decrypt /tmp/ \
                   --key /var/cfengine/ppkeys/localhost.priv \
                   --output /tmp/

> $ sudo diff /tmp/ /tmp/ && echo "No difference" || echo "Difference detected"

No difference

Example leveraging cf-secret from policy


bundle agent main

        comment => "The decryption key",
        string => "$(this.promise_filename).priv";

      "encrypted_file" string => "$(this.promise_filename).cfcrypt";

        comment => "We decrypt the encrypted file directly into a variable.",
        string => execresult("$(sys.cf_secret) -d $(private_key) -i $(encrypted_file) -o -", noshell);

      "Encrypted file content:"
        printfile => cat( $(encrypted_file) );

      "Decrypted content:$(const.n)$(secret)";

body printfile cat(file)
        file_to_print => "$(file)";
        number_of_lines => "inf";

This policy can be found in /var/cfengine/share/doc/examples/ and downloaded directly from github.

Example Output:

R: Encrypted file content:
R: Version: 1.0
R: ���V�cv�#�P��, ��-O�8旼[i����p򢢦�Q�
R: Φ&l�x'�#j���qQ����[�F�1����v�Q��ˮ�J'�թ�|^HG%)�`&�����~k�$wd]"�%4X\(Q�~�O����s�A~���/��:�" gi�Rn&ٍ�E^���߬3��M�ə�%2s�SB��b3���K4wm����o�B�:P��O�#��1�t8��`�@��j/��+����j��g஡����Z�D�iJ��͞j��8ĉ�ag�9vz?+�暢��So��.Org]�"+�S����_HѢ=_O%
R: Decrypted content:
Super secret message is here

This policy can be found in /var/cfengine/share/doc/examples/ and downloaded directly from github.


  • Introduced in 3.16.0, 3.15.3