hiera-eyaml-gpg icon indicating copy to clipboard operation
hiera-eyaml-gpg copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

Track existing recipients

Open sihil opened this issue 11 years ago • 8 comments

Edit mode for GPG should track existing recipients and re-encrypt to the same set of keys.

This can't be done for two reasons.

  1. We don't track individual blocks uniquely and
  2. It isn't possible to get the recipient list out of GPGME as recipients is not implemented in the DecryptResult object.

If these two are fixed then we can make this work.

sihil avatar Sep 10 '13 14:09 sihil

Part 1 of this is fixed, so we just need access to the recipients field in gpgme. Not a priority and I think that the recipients file makes this less helpful now. Might investigate in the future if people want it.

sihil avatar Nov 26 '13 17:11 sihil

I want it!

I'd like to be able to check the recipient list of an encrypted block to ensure it is encrypted with the correct keys.

robinbowes avatar Feb 28 '14 14:02 robinbowes

Ditto. We've got a lot of different people storing encrypted secrets (GPG plugin), and while the operations team doesn't need to know the secrets themselves, we would like to be able to vet the recipients for each cryptotext value.

RoUS avatar Oct 07 '15 15:10 RoUS

What is the status of this particular enhancement? My goal is fairly simple: to encrypt all variables fir the same set of recipients, although staff come and go, so that set can change with time. Right now, the only way I see to do that is to eyaml edit every file, remove the number in parentheses, and re-save.

I care less about the edge-case of a recipient revoking/expiring their key and more about minor additions or removals of recipients. Seems like there should be a smarter way than what I am doing which isn't very automatable. Maybe I can script something with eyaml decrypt -e?

@RoUS has a much more interesting though similar use case.

tpdownes avatar Jun 29 '16 12:06 tpdownes

@tpdownes I think you should be able to use the recrypt action for your use case IIRC - this is explicitly designed for rolling keys.

sihil avatar Jun 29 '16 13:06 sihil

@sihil And now I see that option pleasantly listed in --help. Thanks!

tpdownes avatar Jun 29 '16 14:06 tpdownes

just in case someone is still interested in this:

the 2nd part of the original issue report is also fixed

the recipients are nowadays available in the DecryptResult from gpgme

squiddle avatar Apr 19 '18 10:04 squiddle

This type of functionality should not assume there is only one list of recipients. I generally use this in environments where there are multiple recipient lists as different teams want to encrypt data to which other teams should not have access.

ghoneycutt avatar Apr 14 '19 18:04 ghoneycutt