hiera-eyaml-sshagent
A hiera-eyaml plugin which uses the ssh agent connected to SSH_AUTH_SOCK
to encrypt / decrypt values.
installation
gem install hiera-eyaml-sshagent
configuring
The plugin takes a single option sshagent_keyid
:
version: 5
hierarchy:
- name: "Common secret data"
lookup_key: eyaml_lookup_key
path: common.eyaml
options:
sshagent_keyid: /home/asottile/.ssh/id_rsa
- name: "Common data"
path: common.yaml
The keyid
should match what is printed from ssh-add -l
how it works
It is based on code / ideas from the following:
- blog post demoing ssh agent api in python
- initial demo implementation in python
- cryptography stackexchange: Is it safe to derive a password from a signature provided by ssh-agent?
- security stackexchange: Is it possible to use SSH agent for generic data encryption?
- sshcrypt
retrieve symmetric key
This procedure takes a keyid, a 64 byte challenge, and a 16 byte salt.
- list ssh identities by querying
SSH_AUTH_SOCK
- find the identity matching
keyid
- sign the
challenge
using that identity - use the response blob as a "password" with pbkdf2_hmac (using the salt)
- the result is a 32 byte key which will be used with fernet
encrypt(keyid, blob)
- generate a 64 byte "challenge" and 16 byte salt
- retrieve symmetric key
- encrypt with the symmetric key
- store a blob of
{challenge, salt, payload}
decrypt(keyid, blob)
- load the stored blob
{challenge, salt, payload}
- retrieve symmetric key
- decrypt with symmetric key
why?
I use a masterless puppet setup to manage my machines.
My current bootstrapping process is:
- place ssh key on machine
- clone the repo
./run-puppet
As such, I wanted a hiera-eyaml
backend which didn't involve typing in more
passwords or copying around more keys (since I'm already using my ssh key).