generate-secure-pillar

command module

v1.0.620 Latest Latest Go to latest Published: Nov 22, 2023 License: MIT Imports: 1 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/Everbridge/generate-secure-pillar

Links

Open Source Insights

README ¶

generate-secure-pillar

Create and update encrypted content or decrypt encrypted content in YAML files

https://blog.edlitmus.info/generate-secure-pillar/

USAGE

generate-secure-pillar [global options] command [command options] [arguments...]

VERSION 1.0.620

AUTHOR

Ed Silva ed.silva@everbridge.com

HOMEBREW INSTALL

brew tap esilva-everbridge/homebrew-generate-secure-pillar
brew install generate-secure-pillar

CONFIG FILE USAGE

A config file can be used to set default values, and an example file is created if there isn't one already, with commented out values. The file location defaults to ~/.config/generate-secure-pillar/config.yaml. Profiles can be specified and selected via a command line option.

profiles:
  - name: dev
    default: true
    default_key: Dev Salt Master
    gnupg_home: ~/.gnupg
    default_pub_ring: ~/.gnupg/pubring.gpg
    default_sec_ring: ~/.gnupg/secring.gpg
  - name: prod
    default: false
    default_key: Prod Salt Master
    gnupg_home: ~/.gnupg
    default_pub_ring: ~/.gnupg/pubring.gpg
    default_sec_ring: ~/.gnupg/secring.gpg
...

ABOUT PGP KEYS

The PGP keys you import for use with this tool need to be 'trusted' keys. An easy way to do this is, after importing a key, run the following commands:

expect -c "spawn gpg --edit-key '<the PGP key id here>' trust quit; send \"5\ry\r\"; expect eof"

(found here: https://gist.github.com/chrisroos/1205934#gistcomment-2203760)

COMMANDS

     create, c   create a new sls file
     update, u   update the value of the given key in the given file
     encrypt, e  perform encryption operations
     decrypt, d  perform decryption operations
     rotate, r   decrypt existing files and re-encrypt with a new key
     keys, k     show PGP key IDs used
     help, h     Shows a list of commands or help for one command

GLOBAL OPTIONS

--profile value default profile to use in the config file
--pubring value PGP public keyring (default: "~/.gnupg/pubring.gpg" or "$GNUPGHOME/pubring.gpg")
--secring value PGP private keyring (default: "~/.gnupg/secring.gpg" or "$GNUPGHOME/secring.gpg")
--pgp_key value, -k value PGP key name, email, or ID to use for encryption
--debug adds line number info to log output
--element value, -e value Name of the top level element under which encrypted key/value pairs are kept
--help, -h show help
--version, -v print the version

COPYRIGHT

CAVEAT: YAML files with include statements are not handled properly, so we skip them.

EXAMPLES

specify a config profile and create a new file

$ generate-secure-pillar --profile dev create --name secret_name1 --value secret_value1 --name secret_name2 --value secret_value2 --outfile new.sls

create a new sls file

$ generate-secure-pillar -k "Salt Master" create --name secret_name1 --value secret_value1 --name secret_name2 --value secret_value2 --outfile new.sls

add to the new file

$ generate-secure-pillar -k "Salt Master" update --name new_secret_name --value new_secret_value --file new.sls

update an existing value

$ generate-secure-pillar -k "Salt Master" update --name secret_name --value secret_value3 --file new.sls

encrypt all plain text values in a file

$ generate-secure-pillar -k "Salt Master" encrypt all --file us1.sls --outfile us1.sls

or use --update flag

$ generate-secure-pillar -k "Salt Master" encrypt all --file us1.sls --update

encrypt all plain text values in a file under the element 'secret_stuff'

$ generate-secure-pillar -k "Salt Master" --element secret_stuff encrypt all --file us1.sls --outfile us1.sls

recurse through all sls files, encrypting all values

$ generate-secure-pillar -k "Salt Master" encrypt recurse -d /path/to/pillar/secure/stuff

recurse through all sls files, decrypting all values (requires imported private key)

$ generate-secure-pillar decrypt recurse -d /path/to/pillar/secure/stuff

decrypt a specific existing value (requires imported private key)

$ generate-secure-pillar decrypt path --path "some:yaml:path" --file new.sls

decrypt all files and re-encrypt with given key (requires imported private key)

$ generate-secure-pillar -k "New Salt Master Key" rotate -d /path/to/pillar/secure/stuff

show all PGP key IDs used in a file

$ generate-secure-pillar keys all --file us1.sls

show all keys used in all files in a given directory

$ generate-secure-pillar keys recurse -d /path/to/pillar/secure/stuff

show the PGP key ID used for an element at a path in a file

$ generate-secure-pillar keys path --path "some:yaml:path" --file new.sls

Documentation ¶

Overview ¶

Package main

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
cmd Package cmd/create handles the creation of new secure pillar files	Package cmd/create handles the creation of new secure pillar files
pki Package pki handles PGP for pillar content	Package pki handles PGP for pillar content
sls Package sls handles parsing of Salt Pillar files	Package sls handles parsing of Salt Pillar files
utils Package utils is for general utility functions	Package utils is for general utility functions

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL