1 files changed, 67 insertions, 0 deletions

diff --git a/config/utils/README.eyaml.rst b/config/utils/README.eyaml.rst
new file mode 100644
index 00000000..083d5192
--- /dev/null
+++ b/config/utils/README.eyaml.rst
@@ -0,0 +1,67 @@
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. SPDX-License-Identifier: CC-BY-4.0
+.. (c) 2017 OPNFV and others.
+
+Use eyaml to decrypt secret values
+==================================
+
+Prerequisites
+-------------
+
+#. Install eyaml and create keys (All of this should be done on the slave server)
+
+    .. code-block:: bash
+
+        $ sudo yum install ruby-gems || sudo apt-get install ruby
+        $ sudo gem install hiera-eyaml
+        $ eyaml createkeys
+
+#. Move keys to /etc/eyaml_keys
+
+    .. code-block:: bash
+
+        $ sudo mkdir -p /etc/eyaml_keys/
+        $ sudo mv ./keys/* /etc/eyaml_keys/
+
+#. Set up eyaml config.yaml
+
+    .. code-block:: bash
+
+        $ mkdir ~/.eyaml/
+        $ cp config.yaml.example ~/.eyaml/config.yaml
+
+Encryption
+----------
+
+#. Copy a PDF (yaml) to current directory (or edit the PDF in-place)
+
+NOTE: There is a sample encrypted PDF located at `../pdf/pod1.encrypted.yaml`.
+Data in that file is only an example and can't be decrypted without the PEM,
+which is not provided.
+
+    .. code-block:: bash
+
+        $ cp ~/foo/securedlab/labs/lf/pod2.yaml .
+
+#. Create some encrypted values
+
+    .. code-block:: bash
+
+        $ eyaml encrypt -s 'opnfv'
+
+#. Replace values to be encrypted
+
+    .. code-block:: yaml
+
+        type: ipmi
+        versions:
+          - 2.0
+        user: ENC[PKCS7 ...]
+        pass: ENC[PKCS7 ...]
+
+Decryption
+----------
+
+    .. code-block:: bash
+
+        $ ./generate_config.py -y pod2.yaml -j ../installers/apex/pod_config.yaml.j2