Forge Home

pkcs7

tasks
Bolt plugin to encrypt and decrypt sensitive data

Puppet

puppetlabs

34,690 downloads

6,008 latest version

3.9 quality score

Version information

  • 0.1.2 (latest)
  • 0.1.1
  • 0.1.0
released Jun 10th 2021
Tasks:
  • secret_createkeys
  • secret_decrypt
  • secret_encrypt

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this declaration to your Puppetfile:

mod 'puppetlabs-pkcs7', '0.1.2'
Learn more about managing modules with a Puppetfile

Add this module to a Bolt project:

bolt module add puppetlabs-pkcs7
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppetlabs-pkcs7 --version 0.1.2

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

puppetlabs/pkcs7 — version 0.1.2 Jun 10th 2021

pkcs7

Table of Contents

  1. Description
  2. Parameters
  3. Configuration
  4. Usage
  5. Bolt CLI Usage

Description

This module includes Bolt plugins for creating key pairs and encrypting and decrypting sensitive values.

Parameters

pkcs7::secret_createkeys

The pkcs7::secret_createkeys task creates a key pair used to encrypt and decrypt values. It accepts the following values:

Option Type Description Default
force Boolean Whether to overwrite an existing key pair. false
keysize Integer The size of the key to generate. 2048
private_key String The path to the private key. Accepts an absolute path or a path relative to the boltdir. <boltdir>/keys/private_key.pkcs7.pem
public_key String The path to the public key. Accepts an absolute path or a path relative to the boltdir. <boltdir>/keys/public_key.pkcs7.pem

pkcs7::secret_decrypt

The pkcs7::secret_decrypt task decrypts an encrypted value and returns the plaintext. It accepts the following values:

Option Type Description Default
encrypted_value String The encrypted value.
private_key String The path to the private key. Accepts an absolute path or a path relative to the boltdir. <boltdir>/keys/private_key.pkcs7.pem
public_key String The path to the public key. Accepts an absolute path or a path relative to the boltdir. <boltdir>/keys/public_key.pkcs7.pem

pkcs7::secret_encrypt

The pkcs7::secret_encrypt task encrypts a sensitive value and returns an encrypted value. It accepts the following values:

Option Type Description Default
plaintext_value String The value to encrypt.
public_key String The path to the public key. Accepts an absolute path or a path relative to the boltdir. <boltdir>/keys/public_key.pkcs7.pem

Configuration

The pkcs7 plugin can be configured in a bolt-project.yaml or bolt-defaults.yaml file. This configuration applies to using the plugin configuration and inventory, and to running 'bolt secret' commands on the command line. The following values can be configured and apply to each plugin that uses the value:

  • keysize
  • private_key
  • public_key
---
plugins:
  pkcs7:
    keysize: 4096
    private_key: ./nothing_to_see_here/private.pkcs7.pem
    public_key: ./nothing_to_see_here/public.pkcs7.pem

Usage

The pkcs7::secret_decrypt task is aliased to resolve_reference, letting it be used anywhere that a resolve_reference task can be used such as a bolt.yaml, inventory.yaml, or a plan. To use the plugin, write a plugin reference anywhere you need to decrypt an encrypted value:

targets:
  - uri: example.com
    config:
      ssh:
        password:
          _plugin: pkcs7
          encrypted_value: |
            ENC[PKCS7,MY_ENCRYPTED_DATA]

Bolt CLI Usage

The pkcs7 plugins can be used directly from the Bolt CLI using the bolt secret commands. This module is bundled with Bolt and is the default plugin used by the bolt secret commands.

NOTE: You must configure the keysize, public_key, and private_key parameters in your bolt-project.yaml or bolt-defaults.yaml as shown above. Only the --force parameter can be passed on the command line.

Creating keys

To create keys for a Bolt project, run the following command:

*nix shell command

$ bolt secret createkeys [options]

PowerShell cmdlet

New-BoltSecretKey [options]

Decrypting a value

To decrypt an encrypted value, run the following command:

*nix shell command

$ bolt secret decrypt <encrypted_value> [options]

PowerShell cmdlet

Unprotect-BoltSecret -Text <encrypted_value> [options]

Encrypting a value

To encrypt plaintext, run the following command:

*nix shell command

$ bolt secret encrypt <plaintext_value> [options]

PowerShell cmdlet

Protect-BoltSecret -Text <plaintext_value> [options]