blob: 386a21bb33094e73b32e958b3a6679b15d21334a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. SPDX-License-Identifier: CC-BY-4.0
.. (c) 2017 OPNFV and others.
Use eyaml to decrypt secret values
==================================
Prerequisites
-------------
#. Install eyaml and create keys (All of this should be done on the slave server)
.. code-block:: bash
$ sudo yum install rubygems || sudo apt-get install ruby
$ sudo gem install hiera-eyaml
$ eyaml createkeys
#. Move keys to /etc/eyaml_keys
.. code-block:: bash
$ sudo mkdir -p /etc/eyaml_keys/
$ sudo mv ./keys/* /etc/eyaml_keys/
$ sudo rmdir ./keys
#. Set up eyaml config.yaml
.. code-block:: bash
$ mkdir ~/.eyaml/
$ cp config.yaml.example ~/.eyaml/config.yaml
Encryption
----------
#. Copy a PDF (yaml) to current directory (or edit the PDF in-place)
NOTE: There is a sample encrypted PDF located at `../pdf/pod1.encrypted.yaml`.
Data in that file is only an example and can't be decrypted without the PEM,
which is not provided.
.. code-block:: bash
$ cp ~/foo/securedlab/labs/lf/pod2.yaml .
#. Create some encrypted values
.. code-block:: bash
$ eyaml encrypt -s 'opnfv'
#. Replace values to be encrypted
.. code-block:: yaml
type: ipmi
versions:
- 2.0
user: ENC[PKCS7 ...]
pass: ENC[PKCS7 ...]
Decryption
----------
.. code-block:: bash
$ ./generate_config.py -y pod2.yaml -j ../installers/apex/pod_config.yaml.j2
|