Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ability to edit files without being able to decrypt them #146

Open
JonLoesch opened this issue Mar 3, 2015 · 3 comments
Open

Ability to edit files without being able to decrypt them #146

JonLoesch opened this issue Mar 3, 2015 · 3 comments

Comments

@JonLoesch
Copy link

The short version of this feature request is that I would like to be able to use the "eyaml edit" command to edit files if I have all the required public key(s), even if I don't have the private key(s). The behavior should be that anything eyaml is unable to decrypt and show it should just leave encrypted. Essentially, this would allow you to change / add encrypted data even if you don't necessarily have rights to view it.

In more detail: my use case is that I would like to have each host on our footprint to have an individual GPG key, so that a compromise of one server will not affect other servers. The hiera files are split out by hostname already, so each file is encrypted using different public keys. Our development team will have access to all the public keys, but not necessarily the private keys. They are able to run eyaml encrypt, but not eyaml decrypt. But the eyaml encrypt command is a bit clunky for us when we have many passwords embedded in a single yaml file. so I'd really like to be able to use the "eyaml edit" command, if possible.

A bit more (mostly irrelevant) backstory here: voxpupuli/hiera-eyaml-gpg#25

h-svab pushed a commit to h-svab/hiera-eyaml that referenced this issue Jul 15, 2015
Adds the possibility to have an encryptor which can not decrypt  everything because the actual user does not have all private keys.
h-svab pushed a commit to h-svab/hiera-eyaml that referenced this issue Jul 16, 2015
Adds the possibility to have an encryptor which can not decrypt  everything because the actual user does not have all private keys.
@cheethoe
Copy link

+1 This seems like a critical feature for any widespread use of hiera-eyaml. How are you supposed to keep your private key secure if every developer that needs to add/edit encrypted values needs to pass the private key around? I want the private key to exist only on my puppet masters and not on every dev's box.

@mxey
Copy link

mxey commented Oct 10, 2022

You can use eyaml edit --no-decrypt

@JonLoesch
Copy link
Author

Ah. There's a technical difference between not erroring on a failed decrypt and not attempting a decrypt at all. I'm sure this would work for some use cases though, so good point.

I haven't worked in heira in years and I'm not really in a position to judge whether this issue should still be open or not, so I'm not going to do anything. If someone else wants to close it out go for it. There is interestingly enough an orphaned branch of development from 2015 on this, no idea how complete it is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants