hiera-eyaml-sshagent

hiera-eyaml-sshagent

A hiera-eyaml plugin which uses the ssh agent connected to SSH_AUTH_SOCK to encrypt / decrypt values.

installation

gem install hiera-eyaml-sshagent

configuring

The plugin takes a single option sshagent_keyid:

version: 5
hierarchy:
    -   name: "Common secret data"
        lookup_key: eyaml_lookup_key
        path: common.eyaml
        options:
          sshagent_keyid: /home/asottile/.ssh/id_rsa
    -   name: "Common data"
        path: common.yaml

The keyid should match what is printed from ssh-add -l

how it works

It is based on code / ideas from the following:

• blog post demoing ssh agent api in python
• initial demo implementation in python
• cryptography stackexchange: Is it safe to derive a password from a signature provided by ssh-agent?
• security stackexchange: Is it possible to use SSH agent for generic data encryption?
• [sshcrypt]

retrieve symmetric key

This procedure takes a keyid, a 64 byte challenge, and a 16 byte salt.

1. list ssh identities by querying SSH_AUTH_SOCK
2. find the identity matching keyid
3. sign the challenge using that identity
4. use the response blob as a "password" with pbkdf2_hmac (using the salt)
5. the result is a 32 byte key which will be used with fernet

encrypt(keyid, blob)

1. generate a 64 byte "challenge" and 16 byte salt
2. retrieve symmetric key
3. encrypt with the symmetric key
4. store a blob of {challenge, salt, payload}

decrypt(keyid, blob)

1. load the stored blob {challenge, salt, payload}
2. retrieve symmetric key
3. decrypt with symmetric key

why?

I use a masterless puppet setup to manage my machines.

My current bootstrapping process is:

1. place ssh key on machine
2. clone the repo
3. ./run-puppet

As such, I wanted a hiera-eyaml backend which didn't involve typing in more passwords or copying around more keys (since I'm already using my ssh key).