No release in over 3 years
SSH_AUTH_SOCK encryptor for use with hiera-eyaml
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Runtime

>= 2
>= 1.3.8
 Project Readme

pre-commit.ci status

hiera-eyaml-sshagent

A hiera-eyaml plugin which uses the ssh agent connected to SSH_AUTH_SOCK to encrypt / decrypt values.

installation

gem install hiera-eyaml-sshagent

configuring

The plugin takes a single option sshagent_keyid:

version: 5
hierarchy:
    -   name: "Common secret data"
        lookup_key: eyaml_lookup_key
        path: common.eyaml
        options:
          sshagent_keyid: /home/asottile/.ssh/id_rsa
    -   name: "Common data"
        path: common.yaml

The keyid should match what is printed from ssh-add -l

how it works

It is based on code / ideas from the following:

retrieve symmetric key

This procedure takes a keyid, a 64 byte challenge, and a 16 byte salt.

  1. list ssh identities by querying SSH_AUTH_SOCK
  2. find the identity matching keyid
  3. sign the challenge using that identity
  4. use the response blob as a "password" with pbkdf2_hmac (using the salt)
  5. the result is a 32 byte key which will be used with fernet

encrypt(keyid, blob)

  1. generate a 64 byte "challenge" and 16 byte salt
  2. retrieve symmetric key
  3. encrypt with the symmetric key
  4. store a blob of {challenge, salt, payload}

decrypt(keyid, blob)

  1. load the stored blob {challenge, salt, payload}
  2. retrieve symmetric key
  3. decrypt with symmetric key

why?

I use a masterless puppet setup to manage my machines.

My current bootstrapping process is:

  1. place ssh key on machine
  2. clone the repo
  3. ./run-puppet

As such, I wanted a hiera-eyaml backend which didn't involve typing in more passwords or copying around more keys (since I'm already using my ssh key).