-
-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to edit files without being able to decrypt them #146
Comments
Adds the possibility to have an encryptor which can not decrypt everything because the actual user does not have all private keys.
Adds the possibility to have an encryptor which can not decrypt everything because the actual user does not have all private keys.
+1 This seems like a critical feature for any widespread use of hiera-eyaml. How are you supposed to keep your private key secure if every developer that needs to add/edit encrypted values needs to pass the private key around? I want the private key to exist only on my puppet masters and not on every dev's box. |
You can use |
Ah. There's a technical difference between not erroring on a failed decrypt and not attempting a decrypt at all. I'm sure this would work for some use cases though, so good point. I haven't worked in heira in years and I'm not really in a position to judge whether this issue should still be open or not, so I'm not going to do anything. If someone else wants to close it out go for it. There is interestingly enough an orphaned branch of development from 2015 on this, no idea how complete it is. |
The short version of this feature request is that I would like to be able to use the "eyaml edit" command to edit files if I have all the required public key(s), even if I don't have the private key(s). The behavior should be that anything eyaml is unable to decrypt and show it should just leave encrypted. Essentially, this would allow you to change / add encrypted data even if you don't necessarily have rights to view it.
In more detail: my use case is that I would like to have each host on our footprint to have an individual GPG key, so that a compromise of one server will not affect other servers. The hiera files are split out by hostname already, so each file is encrypted using different public keys. Our development team will have access to all the public keys, but not necessarily the private keys. They are able to run eyaml encrypt, but not eyaml decrypt. But the eyaml encrypt command is a bit clunky for us when we have many passwords embedded in a single yaml file. so I'd really like to be able to use the "eyaml edit" command, if possible.
A bit more (mostly irrelevant) backstory here: voxpupuli/hiera-eyaml-gpg#25
The text was updated successfully, but these errors were encountered: