Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot edit files if you don't have a private key #25

Closed
JonLoesch opened this issue Mar 2, 2015 · 7 comments
Closed

Cannot edit files if you don't have a private key #25

JonLoesch opened this issue Mar 2, 2015 · 7 comments

Comments

@JonLoesch
Copy link

I'm not sure if this is classified as a bug or a missing feature, or if I'm just "doing it wrong", but ....

I am trying to have a setup where our team will all have access to the public keys, but not necessarily all people will have access to the private keys (for security reasons). And I want people who do not have a private key to still be able to "edit" eyaml files. Essentially, they should be able to add new encrypted values or alter existing ones, but not view existing ones. I know this is possible from a pure GPG point of view, but maybe eyaml doesn't support it? (I mean the base eyaml package, not eyaml-gpg)

Is this possible currently? Is it on the roadmap? (If not I can work around, but it's inconvenient) Thanks in advance

@sihil
Copy link
Collaborator

sihil commented Mar 3, 2015

I'm not quite sure what you are aiming for. In order to edit a file, everyone will need a private key as editing a file means to decrypt it, edit the decrypted values and then re-encrypt. If you only want people to be able encrypt then they should be able to do this with only the public keys using the encrypt command. The code looks like it only throws an exception if it doesn't have the public key: https://github.com/TomPoulton/hiera-eyaml/blob/master/lib/hiera/backend/eyaml/encryptors/pkcs7.rb#L30

If this is not working, please raise an issue on the hiera-eyaml project with the error you are getting and we'll try to help you.

@JonLoesch
Copy link
Author

The eyaml encrypt command does indeed work, but operate only on single strings instead of full hiera files. I guess what I'm looking for is the ability to use the cool inline editing of "eyaml edit" without necessarily being able to decrypt the files. And editing a files does NOT necessarily mean being able to read it. Sort of like being able to change your forgotten password, but not being able to see your old one (sort of).

Like I said, I can work around if I need to, and it's not really that big of a deal. Also, it sounds like this is probably a hiera-eyaml issue, as this project is more just the GPG plugin. I raised the issue here mainly because I thought it involved asymmetric encryption, but maybe that was a mistake.

Thanks for your prompt response by the way!

@sihil
Copy link
Collaborator

sihil commented Mar 3, 2015

I see what you mean - leave anything encrypted that you don't have a key to decrypt. An interesting idea.

That should be possible to implement - it would be a change to the error handling I think, and possibly to the parser system.

This particular issue definitely belongs in hiera-eyaml. PKCS7 is also an asymmetric encryption - unlike GPG though, it doesn't deal with key rotation or key per user scenarios, which is why I added GPG.

You're welcome. I'm planning to close this issue unless you have an objection.

@JonLoesch
Copy link
Author

No objection here -- I'll close it :) Thanks for your help.

@JonLoesch
Copy link
Author

If you do create an issue for this in hiera-eyaml, please let me know, as I'm interested in following it.

@sihil
Copy link
Collaborator

sihil commented Mar 3, 2015

@JonLoesch - If you are keen for this option to be available I suggest you raise an issue there and link back to this issue for the value of the conversion. I don't plan to open an issue as I don't believe it is a bug and I'm not personally interested in the feature request.

@JonLoesch
Copy link
Author

Done. Agreed that it's a feature request, not a bug. I'm still getting the hang of the github issues system. :)

Thanks again for all your help @sihil !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants