cf-secret encrypts and decrypts files using CFEngine keys.

Files can be encrypted for one or more public keys. A matching private key is required for decryption.

Command reference

code
  --help        , -h       - Print the help message
  --manpage     , -M       - Print the man page
  --debug       , -d       - Enable debugging output
  --verbose     , -v       - Enable verbose output
  --log-level   , -g value - Specify how detailed logs should be. Possible values: 'error', 'warning', 'notice', 'info', 'verbose', 'debug'
  --inform      , -I       - Enable basic information output
  --key         , -k value - Comma-separated list of key files to use (one of -k/-H options is required for encryption)
  --host        , -H value - Comma-separated list of hosts to encrypt/decrypt for (defaults to 'localhost' for decryption)
  --output      , -o value - Output file (required)

Example encrypting and decrypting data

First, let's create a file that contains some content we want to encrypt.

code
> $ cf-secret --help > /tmp/cf-secret.help

Next, let's encrypt the file for the public key used by the host. Run the following command to encrypt the file.

code
> $ sudo cf-secret encrypt /tmp/cf-secret.help \
                   --output /tmp/cf-secret.help.cfsecret \
                   --key /var/cfengine/ppkeys/localhost.pub

Then, inspect file. Note the file contains a header that indicates the key digest identifying the public key for which the file was encrypted.

code
> $ sudo cat /tmp/cf-secret.help.cfsecret
Version: 1.0
Encrypted-for: SHA=0df59dfd5516a0a66aad933871036fa0ad909d251da682a41775d60db092f154

t"��1)Ȫ��w�+�bX<�-�Z)��W�}��AS
                              �#�,v�f�u��M�N���AV�xx��*^D����OJ�����Ϊ˶�NS�2���ߡ~Bh.▒^
��?$䝒0 ��5w��x�y:�!�HQi.��W@�(�%�.M�▒
       $=��h��N��$����84t/����� ��      �vbb��ao��۠�'N�F줛ey,3��]��y�-n`�H��GϦٕ�LI��N�zH�拥��'1_�D��
                                                                                                  :n/��I_��>�8U���V(�u[�_sJ-QHԀ�Ds���L��4!P��מ�~�`i�>F�~+�Q!�@��{U��T>{pTF7΄#�ȎZךfO���\�B��ݷ�L��d��*8��^��p_��֡
����}ڬ��2�5]?�e?�**▒�"�x����Ts�ԭ�`������eP����*_�
s��3cۈ�jG+��4��H��<▒���9�}��9���!��.�Ai#=�����n����?�����C��?4�I"����R�V7"g��▒_����3��UqE��n▒�����h.��e'���D^CX��)S}����O���"���s�'�[ͽ 7�y��$,��5�!�S=0�<�N���8@K�����nK��ص-BJ2 n[�▒vS��(Y�2M�����|�a 7!�3P0��y9~N9�YLg���l�'d���vĖ�QsB��/�$
��xDط���P��I&rB��"G
|E4}��+=�ښ���ς�m�E��86�E͏^�C��~�n֒���>԰x�Ca�pCE�鱋.▒v������
                                 ԩ�m����y�`�Q���F�gHO▒����,�u���:�m���$ ����H������v�4��Ͳ��6���u���7%(S�饓���@kb�ӯ�:.▒����Xʐ�d-�2�6s�&$�2t����t�M��Y��Q���*9
                                                       ��q�<
h1�qj<2W8O��:�T��7غ�ԥ�GN0�o�p&A=���[<����E��k����A�z]r����v�6ţ9�LH�x�&Z�֙ǖ� s@▒h!
�!Փ��?�4���85��AL��>[��/�y=�!��󺾇Hv�m������z�_��N;��W�����       ��#�i�&�G��̌���K��Z�u�
��L�+wb*�����rpN�B�%

Finally, decrypt the file.

code
> $ sudo cf-secret decrypt /tmp/cf-secret.help.cfsecret \
                   --key /var/cfengine/ppkeys/localhost.priv \
                   --output /tmp/cf-secret.help.decrypted

> $ sudo diff /tmp/cf-secret.help /tmp/cf-secret.help.decrypted && echo "No difference" || echo "Difference detected"

No difference

Example leveraging cf-secret from policy

Policy:

code
bundle agent main
{
  vars:

      "private_key"
        comment => "The decryption key",
        string => "$(this.promise_filename).priv";

      "encrypted_file" string => "$(this.promise_filename).cfcrypt";

      "secret"
        comment => "We decrypt the encrypted file directly into a variable.",
        string => execresult("$(sys.cf_secret) -d $(private_key) -i $(encrypted_file) -o -", noshell);

  reports:
      "Encrypted file content:"
        printfile => cat( $(encrypted_file) );

      "Decrypted content:$(const.n)$(secret)";
}

body printfile cat(file)
{
        file_to_print => "$(file)";
        number_of_lines => "inf";
}

This policy can be found in /var/cfengine/share/doc/examples/cf-secret.cf and downloaded directly from github.

Example Output:

code
R: Encrypted file content:
R: Version: 1.0
R: 
R: ���V�cv�#�P��, ��-O�8旼[i����p򢢦�Q�
R: Φ&l�x'�#j���qQ����[�F�1����v�Q��ˮ�J'�թ�|^HG%)�`&�����~k�$wd]"�%4X\(Q�~�O����s�A~���/��:�" gi�Rn&ٍ�E^���߬3��M�ə�%2s�SB��b3���K4wm����o�B�:P��O�#��1�t8��`�@��j/��+����j��g஡����Z�D�iJ��͞j��8ĉ�ag�9vz?+�暢��So��.Org]�"+�S����_HѢ=_O%
R: Decrypted content:
Super secret message is here

This policy can be found in /var/cfengine/share/doc/examples/cf-secret.cf and downloaded directly from github.

History:

  • Introduced in 3.16.0, 3.15.3