Module: YamlRecrypt::Eyaml

Defined in:

lib/yaml_recrypt/eyaml.rb

Class Method Summary

• .decrypt(ct, eyaml_pub_key, eyaml_prv_key) ⇒ Object
• .encrypt(pt, eyaml_pub_key) ⇒ Object
• .encrypt_and_encode(pt, eyaml_pub_key) ⇒ Object

Class Method Details

.decrypt(ct, eyaml_pub_key, eyaml_prv_key) ⇒ Object

# File 'lib/yaml_recrypt/eyaml.rb', line 26

def self.decrypt(ct, eyaml_pub_key, eyaml_prv_key)
  private_key_pem = File.read eyaml_prv_key
  private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )

  public_key_pem = File.read eyaml_pub_key
  public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )

  pkcs7 = OpenSSL::PKCS7.new( ct )
  pkcs7.decrypt(private_key_rsa, public_key_x509)
end

.encrypt(pt, eyaml_pub_key) ⇒ Object

# File 'lib/yaml_recrypt/eyaml.rb', line 8

def self.encrypt(pt, eyaml_pub_key)
  public_key_pem = File.read eyaml_pub_key
  public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )

  cipher = OpenSSL::Cipher::AES.new(256, :CBC)
  OpenSSL::PKCS7::encrypt([public_key_x509], pt, cipher, OpenSSL::PKCS7::BINARY).to_der
end

.encrypt_and_encode(pt, eyaml_pub_key) ⇒ Object

# File 'lib/yaml_recrypt/eyaml.rb', line 16

def self.encrypt_and_encode(pt, eyaml_pub_key)
  # eyaml has its own YAML encryption standard which we must cludge/copy ;-)
  # basically we wedge the cyphertext inside `ENC[...]` with some metadata
  # see /lib/hiera/backend/eyaml/parser/encrypted_tokens.rb (to_encrypted)
  ct = encrypt(pt, eyaml_pub_key)
  ct64 = Base64.encode64(ct).strip
  return "ENC[PKCS7,#{ct64}]"
end