hiera-eyaml
hiera-eyaml copied to clipboard
voxpupuli
Cannot decrypt non ascii Characters
Working in a francophone company, some of the data we want to encrypt include non-ascii characters, like strings with accents. For instance, I'm trying to encrypt this file:
test_hiera::chaine_test: "Chaine pour l'hôte ul-dco-ex-dat01.ul.ca"
test_hiera::chaine_parametre: "Chaine passé par hiera en utilisant le backend eyaml"
test_hiera::chaine_crypte: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAFiY+3y4JiNukQyHCumN9JTZpClIevs1NSeRhQpyoJPKbCqcg3qPCet1kOH60a8c221dp3hzSNVjeSGYNMou7OWbm5XgCLrdeqz1FDpYqeDblBQLJYGYiuvT6QW94HcZY33Qtpoq1ckB+LFS/1tt4Ru1/TbYmvdaAHKBaKqwS+yLLRXLZO53egiLsQmOL+rOMvRcNTJY8QI0GeNAfPnBzR0Dpu+6TsJAuHrFQ9LJLI/4j0wM+SGhNqtoG2PaYEUXKOWEBMa//XNh6tIyoWzwV7e2RUfcjaT4p4ShkMJu1Ha0G1CkXfuMVauUJGdfRqsVXFiy+9LKuvBbK0xEqjqR6TzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCpKi6PQVpSSVwZ7VrZcQaOgCAFeNvrGPewZvOogTx+CnY1Z/lyHTEaUb4zn98uJlMbvw==]
I'm in the process of learning hiera, so this file contains a test string to extract (chaine_test), a value corresponding to a parameter (chaine_parametre), and a crypted string (chaine_crypte). The decrypted string is bonjour à vous. While editing with eyaml edit, the line containing the encrypted string looks like this:
test_hiera::chaine_crypte: DEC::PKCS7[bonjour à vous]!
Afterward, when trying to edit again with eyaml edit, or when trying to extract the value on the puppet master, I get this error:
[hiera-eyaml-core] incompatible character encodings: UTF-8 and ASCII-8BIT
Interesting information tough, this line works just fine:
eyaml encrypt -s "bonjour à vous" -o string | eyaml decrypt --stdin
I get the decrypted string in the output.
These are my specifications:
- On my editing laptop:
- Ubuntu 16.04.4 LTS for Windows 10
- ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]
- eyaml 2.1 installed via
gem install
- On my puppet master:
- CentOS Linux release 7.5.1804 (Core)
- Puppet 5.5.6
- Puppet server 5.3.5
- Foreman 1.19
- eyaml 2.1 installed via
puppetserver gem install
Is it possible to encrypt non-ascii values?
eyaml encrypt -s "bonjour à vous" -o string | eyaml decrypt --stdin
That is how I had to do it as well.
Which is a major pain if I need to change the file this is in - eyaml will happily decrypt everything,
but once it’s saved and eyaml tries to encrypt it again, it fails.. So I have to go in with a normal
editor (not eyaml edit) and past in the whole encrypted “blob” back in.
This also affects binary data.
[Turbo-Fredrikssons-MacBook-Pro]$ eyaml createkeys
[hiera-eyaml-core] Created key directory: ./keys
[hiera-eyaml-core] Keys created OK
[Turbo-Fredrikssons-MacBook-Pro]$ dd if=/dev/disk5 of=test count=100
100+0 records in
100+0 records out
51200 bytes transferred in 0.004064 secs (12598168 bytes/sec)
[Turbo-Fredrikssons-MacBook-Pro]$ eyaml edit test.yaml
=> Insert the binary file test between the [ and ] in the editor
Results in:
[hiera-eyaml-core] undefined method `length' for nil:NilClass
So my guess is that eyaml is trying to be .. "smart".
To get around that, I had to run
(echo "test: >"; eyaml encrypt -f test -o block) > test.yaml
and then go in and add the missing ! after the ] at the end of the file (eyaml adds a newline instead of !).
But then running eyaml edit test.yaml works, but not the save..
On the other hand, eyaml decrypt -f test.yaml does seem to work... Weird.
Just encode to base64 and decode on template generation.
Actually, that helped me a lot!
I have binary data (ElasticSearch encryption key) in Hiera, but
every time I need to encrypt/decrypt/edit that file, eyaml borks!
But base64 encoding the binary data and then use
$variable = base64('decode', hiera(‘hiera_key', undef))
file { ‘/somethingorother’:
content => $variable
}
should do it.. The base64() function is in puppetlabs-stdlib which I’m already using functions from elsewhere...
I'm hitting this also. The base64() workaround is might work, but this is a bug IMHO that still should be resolved. I would expect this encryption to be able to handle any arbitrary binary data, much as base64() can. Using the base64() kludge also defeats class param auto-lookup. Worse though is, I question the data reliability this potentially presents.
I stumbled onto it with Kerberos keytabs. I had been taking these binary files and doing an eyaml encrypt -f my.keytab and then pasting the resultant block into my Hiera yaml files. Now I've found that I cannot eyaml edit some.yaml because I get the following when I write/quit the edit:
[hiera-eyaml-core] undefined method `length' for nil:NilClass
If I try to eyaml decrypt -f some.yaml (same file as above), I instead get:
[hiera-eyaml-core] invalid byte sequence in UTF-8
Somehow though, the Puppet Server is capable of decrypting the data. If it weren't for that, I'd question if VIM handled the binary data correctly before eyaml was to reencrypt it.
My Puppet Server has hiera-eyaml-3.2.2 as bundled with puppet-agent-7.14.0-1.el8.x86_64 (from the PL repo). My workstation where I'm using eyaml to edit files has rubygem-hiera-eyaml-3.2.0-4.fc35.noarch (from Fedora repos).
In the meantime, I'm going to aim for a new Hiera level that uses a glob file path for binary files like keytabs. Then they can reside as a group of files with their content isolated.
