aboutsummaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2024-02-24 21:57:31 -0300
committerSilvio Rhatto <rhatto@riseup.net>2024-02-24 21:57:31 -0300
commita80ab6138da7a457f2cce5fd77bc7c56eb020d0c (patch)
tree62dc66769e613abbba9fc83b70aaff8211bd4c0d /docs
parent69b632bcacfdb8e2235d820b8a2d32031960dfe6 (diff)
downloadhydra-a80ab6138da7a457f2cce5fd77bc7c56eb020d0c.tar.gz
hydra-a80ab6138da7a457f2cce5fd77bc7c56eb020d0c.tar.bz2
Feat: docs: secrets: tpc: on hashed passphrases
Diffstat (limited to 'docs')
-rw-r--r--docs/tpc.md11
1 files changed, 9 insertions, 2 deletions
diff --git a/docs/tpc.md b/docs/tpc.md
index 96140a9..5266b83 100644
--- a/docs/tpc.md
+++ b/docs/tpc.md
@@ -66,14 +66,21 @@ If you already have the secret somewhere, you can use a construction like this
which already adds the eyaml block into the hiera config file:
keyringer $HYDA decrypt /path/to/some/secret | \
- hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --sdtin -l some::password >> \
+ hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --stdin -l some::password >> \
$CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml
You can also ensure a fresh random passphrase is used, using your favourite
generator like this:
head -c ${1:-20} /dev/urandom | base64 | \
- hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --sdtin -l some::random:password >> \
+ hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --stdin -l some::random:password >> \
+ $CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml
+
+For `passwd(5)` and `shadow(5)` hashed passphrases, use something like this:
+
+ head -c ${1:-20} /dev/urandom | base64 | \
+ mkpasswd -m sha-512 --stdin | \
+ hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --stdin -l some::random:password >> \
$CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml
[hiera-yaml]: https://github.com/voxpupuli/hiera-eyaml