diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2024-02-24 21:57:31 -0300 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2024-02-24 21:57:31 -0300 |
| commit | a80ab6138da7a457f2cce5fd77bc7c56eb020d0c (patch) | |
| tree | 62dc66769e613abbba9fc83b70aaff8211bd4c0d | |
| parent | 69b632bcacfdb8e2235d820b8a2d32031960dfe6 (diff) | |
| download | hydra-a80ab6138da7a457f2cce5fd77bc7c56eb020d0c.tar.gz hydra-a80ab6138da7a457f2cce5fd77bc7c56eb020d0c.tar.bz2 | |
Feat: docs: secrets: tpc: on hashed passphrases
| -rw-r--r-- | docs/tpc.md | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/docs/tpc.md b/docs/tpc.md index 96140a9..5266b83 100644 --- a/docs/tpc.md +++ b/docs/tpc.md @@ -66,14 +66,21 @@ If you already have the secret somewhere, you can use a construction like this which already adds the eyaml block into the hiera config file: keyringer $HYDA decrypt /path/to/some/secret | \ - hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --sdtin -l some::password >> \ + hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --stdin -l some::password >> \ $CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml You can also ensure a fresh random passphrase is used, using your favourite generator like this: head -c ${1:-20} /dev/urandom | base64 | \ - hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --sdtin -l some::random:password >> \ + hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --stdin -l some::random:password >> \ + $CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml + +For `passwd(5)` and `shadow(5)` hashed passphrases, use something like this: + + head -c ${1:-20} /dev/urandom | base64 | \ + mkpasswd -m sha-512 --stdin | \ + hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --stdin -l some::random:password >> \ $CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml [hiera-yaml]: https://github.com/voxpupuli/hiera-eyaml |