-
-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot edit files if you don't have a private key #25
Comments
I'm not quite sure what you are aiming for. In order to edit a file, everyone will need a private key as editing a file means to decrypt it, edit the decrypted values and then re-encrypt. If you only want people to be able encrypt then they should be able to do this with only the public keys using the If this is not working, please raise an issue on the hiera-eyaml project with the error you are getting and we'll try to help you. |
The eyaml encrypt command does indeed work, but operate only on single strings instead of full hiera files. I guess what I'm looking for is the ability to use the cool inline editing of "eyaml edit" without necessarily being able to decrypt the files. And editing a files does NOT necessarily mean being able to read it. Sort of like being able to change your forgotten password, but not being able to see your old one (sort of). Like I said, I can work around if I need to, and it's not really that big of a deal. Also, it sounds like this is probably a hiera-eyaml issue, as this project is more just the GPG plugin. I raised the issue here mainly because I thought it involved asymmetric encryption, but maybe that was a mistake. Thanks for your prompt response by the way! |
I see what you mean - leave anything encrypted that you don't have a key to decrypt. An interesting idea. That should be possible to implement - it would be a change to the error handling I think, and possibly to the parser system. This particular issue definitely belongs in hiera-eyaml. PKCS7 is also an asymmetric encryption - unlike GPG though, it doesn't deal with key rotation or key per user scenarios, which is why I added GPG. You're welcome. I'm planning to close this issue unless you have an objection. |
No objection here -- I'll close it :) Thanks for your help. |
If you do create an issue for this in hiera-eyaml, please let me know, as I'm interested in following it. |
@JonLoesch - If you are keen for this option to be available I suggest you raise an issue there and link back to this issue for the value of the conversion. I don't plan to open an issue as I don't believe it is a bug and I'm not personally interested in the feature request. |
Done. Agreed that it's a feature request, not a bug. I'm still getting the hang of the github issues system. :) Thanks again for all your help @sihil ! |
I'm not sure if this is classified as a bug or a missing feature, or if I'm just "doing it wrong", but ....
I am trying to have a setup where our team will all have access to the public keys, but not necessarily all people will have access to the private keys (for security reasons). And I want people who do not have a private key to still be able to "edit" eyaml files. Essentially, they should be able to add new encrypted values or alter existing ones, but not view existing ones. I know this is possible from a pure GPG point of view, but maybe eyaml doesn't support it? (I mean the base eyaml package, not eyaml-gpg)
Is this possible currently? Is it on the roadmap? (If not I can work around, but it's inconvenient) Thanks in advance
The text was updated successfully, but these errors were encountered: