Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-3271

Add support for multi-host/multi-key encryption to cf-keycrypt

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Done
    • Priority: (None)
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.16.0
    • Component/s: cf-secret
    • Labels:
      None

      Description

      The EVP_SealInit() OpenSSL API supports multi-key encryption. Basically it encrypts the symmetric AES key with multiple RSA keys and so we can just store multiple of those encrypted AES keys in the resulting file making it possible to decrypt on multiple hosts. Instead of encrypting the same file for all the hosts separately which would result in more files and duplication of the encrypted payload (which can potentially be big).

      The easiest approach seems to be adding a new header Encrypted-for: SHA=some-sha-here that could/would be used multiple times. It will determine the order of RSA keys the AES key was encrypted by, store one after another in the file.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                vpodzime Vratislav Podzimek
                Reporter:
                vpodzime Vratislav Podzimek
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Summary Panel