Knife Briefcase
This gem is Knife plugin for Opscode Chef that stores GPG-encrypted content for people in chef server's data bag.
Its intended use is to share infrastructure-related secrets (such as encrypted data bag secret files, SSL private keys, passwords, etc.) among the infrastructure team.
This may or may not work nicely with git-annex via hook special remote.
Installation
Add this line to your Chef repository's Gemfile:
gem 'knife-briefcase', :git => 'git://github.com/3ofcoins/knife-briefcase/'
Or install it yourself:
$ gem build knife-briefcase.gemspec
$ gem install knife-briefcase*.gem
Usage
knife briefcase put NAME [FILE]
-- encrypts and signs named FILE
or stdin, and saves it in the data bag with ID NAME
.
knife briefcase get NAME [FILE]
-- gets NAME
from the data bag,
checks signature, decrypts, and shows the contents on standard output,
or saves it to FILE
if provided.
knife briefcase list
-- lists encrypted items in the data bag.
knife briefcase delete NAME [NAME [...]]
-- deletes listed NAME
s
from the data bag.
TODO: it may be good to refuse to delete files that the user is unable to encrypt. User is able to delete them anyway, using
knife data bag delete
, but it shouldn't be allowed viaknife briefcase
command.
knife briefcase reload [NAME [NAME [...]]]
-- downloads and decrypts
listed items, re-encrypts and re-signs them, and saves the
re-encrypted content back. If no names are provided, all the items are
re-encrypted. This should be called when briefcase holders list is
changed, to allow added user to decrypt bag - or to prevent further
access by removed user.
Configuration
Following knife.rb
settings are used:
briefcase_holders
-- array of e-mail addresses that will be GPG recipients of the databriefcase_signers
-- e-mail address (or array of e-mail addresses) that will be used to sign encrypted contentbriefcase_data_bag
-- name of the data bag that will be used by default to hold encrypted content. If not provided,briefcase
data bag will be used. The data bag name can be overriden on command line.
Example configuration
briefcase_signers `git config --get user.email`.strip
briefcase_holders [
'[email protected]',
'[email protected]',
'[email protected]',
'[email protected]',
'[email protected]' ]
Contributing
See the CONTRIBUTING.md file