Elektra
0.8.22
|
This plugin enables file based encryption and decryption using GPG. Also an option for signing and verifying files using GPG is provided.
This plugin encrypts backend files before the commit is executed (thus precommit
). The plugin decrypts the backend files before the getstorage opens it (thus pregetstorage
). After the getstorage plugin has read the backend file, the plugin decrypts the backend file again (thus postgetstorage
).
There are two things to consider when using the fcrypt
plugin:
The plugin directs GPG to write its (decrypted) output to a temporary directory. From there on the data can be processed by other plugins. After the get
phase is over, fcrypt
overwrites the temporary file and unlinks it afterwards. However, if the application crashes during get
the decrypted data may remain in the temporary directory.
If the temporary directory is mounted on a hard disk, GPG writes the decrypted data on that disk. Thus we recommend to either mount /tmp
to a RAM disk or specify another path as temporary directory within the plugin configuration (see Configuration below).
If you encounter the following error at kdb mount
:
The command kdb mount terminated unsuccessfully with the info: Too many plugins! The plugin sync can't be positioned at position precommit anymore. Try to reduce the number of plugins! Failed because precommit with 7 is larger than 6 Please report the issue at https://issues.libelektra.org/
you might want to consider disabling the sync plugin by entering:
kdb set /sw/elektra/kdb/#0/current/plugins "" kdb set system/sw/elektra/kdb/#0/current/plugins ""
Please note that this is a workaround until a more sustainable solution is found.
This plugin uses parts of the crypto
plugin.
Please refer to crypto.
Please refer to crypto.
You can mount the plugin with encryption enabled like this:
kdb mount test.ecf /t fcrypt "encrypt/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D"
If you only want to sign the configuration file, you can mount the plugin like this:
kdb mount test.ecf /t fcrypt "sign/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D"
Both options encrypt/key
and sign/key
can be combined:
kdb mount test.ecf /t fcrypt "encrypt/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D,sign/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D"
If you create a key under /t
kdb set /t/a "hello world"
you will notice that you can not read the plain text of test.ecf
because it has been encrypted by GPG.
But you can still access /t/a
with kdb get
:
kdb get /t/a
If you are looking for a more interactive example, have a look at the following ASCIIcast at:
https://asciinema.org/a/136021
The GPG signature keys can be specified as sign/key
directly. If you want to use more than one key for signing, just enumerate like:
sign/key/#0 sign/key/#1
If more than one key is defined, every private key is used to sign the file of the backend.
If a signature is attached to a file, fcrypt
automatically verifies its content whenever the file is being read.
Note that the signed file is stored in the internal format of GPG. So you only see binary data when opening the signed configuration file directly. However, you can simply display the plain text content of the file by using GPG:
gpg2 -d signed.ecf
The GPG Configuration is described in crypto.
fcrypt
operates in textmode per default. In textmode fcrypt
uses the --armor
option of GPG, thus the output of fcrypt
is ASCII armored. If no encryption key is provided (i.e. only signature is requested) fcrypt
uses the --clearsign
option of GPG.
Textmode can be disabled by setting fcrypt/textmode
to 0
in the plugin configuration.
fcrypt
uses the configuration option fcrypt/tmpdir
to generate paths for temporary files during encryption and decryption. The path is forwarded to GPG via the -o
option, so GPG will output to this path. The directory must be readable and writable by the user.
/tmp
is used as default value.
We recommend to specify a path that is mounted to a RAM disk. It is advisable to set restrictive access rules to this path, so that other users on the system can not access it.