forked from dotwaffle/rancid-git
-
Notifications
You must be signed in to change notification settings - Fork 2
Encrypted .cloginrc
matejv edited this page Jun 18, 2012
·
2 revisions
You can use GPG to encrypt your .cloginrc file. This is not a buletproof solution for protecting device passwords, however using this you can avoid storing passwords in plain text on disk.
You'll need to setup gpg-agent and preset the passphrase to hold it in memory.
- Create a GPG key for your rancid user
# su - rancid # gpg --gen-key <answer questions from GPG>
- Encrypt your .cloginrc
# gpg -e -r <name of your gpg key> -o ~/.cloginrc.gpg ~/.cloginrc
- ?login scripts will decrypt only files ending in .gpg so we need a plaintext .cloginrc that will include the encrypted file (careful, this will overwrite existing .cloginrc!)
# echo "include {.cloginrc.gpg}" > ~/.cloginrc
- Setup gpg-agent to start each time a shell starts. Put this in .bashrc of rancid user:
if [ -f "${HOME}/.gpg-agent-info" ]; then
. "${HOME}/.gpg-agent-info"
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
fi
gpg-agent 2>/dev/null
if [ $? -ne 0 ]; then
gpg-agent --daemon --write-env-file ~/.gpg-agent-info --allow-preset-passphrase
. "${HOME}/.gpg-agent-info"
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
fi
GPG_TTY=$(tty)
export GPG_TTY
- Login to another session and verify that gpg-agent is running
# gpg-agent gpg-agent: gpg-agent running and available
- Get the fingerprint of your GPG key
# gpg --fingerprint --fingerprint <name of your gpg key>
(yes you need --fingerprint twice) Sample output:
pub 2048R/nnnnnnnn 2012-05-28
Key fingerprint = AAAA AAAA BBBB BBBB CCCC 1111 1111 2222 2222 3333
uid Rancid User <rancid@localhost>
sub 2048R/nnnnnnnn 2012-05-28
Key fingerprint = DDDD DDDD EEEE EEEE FFFF 4444 4444 5555 5555 6666
The fingerprint you need is the second one, under the sub-key (sub) (DDDD DDDD ....).
- Use gpg-preset-passphrase to preset passphrase in gpg-agent that will never expire. Omit all spaces from fingerprint output on previous point.
# /usr/libexec/gpg-preset-passphrase --preset DDDDDDDDEEEE... <type your passphrase and press Enter>
- Test if GPG key passphrase is loaded
# gpg -o - ~/.cloginrc.gpg
This command should output decrypted contents of .cloginrc.gpg without asking for password.
- Test if rancid can use encrypted .cloginrc
# rancid-run
Please note: You'll need to run gpg-preset-passphrase command every time machine reboots.