Crypto tutorial #1955
Crypto tutorial #1955
Conversation
doc/tutorials/crypto.md
Outdated
|
|
||
| ## Configuration File Encryption/Decryption | ||
|
|
||
| The `fcrypt` plugin enables the encryption and decryption of entire configuration files, thus protecting the confidentiality of the configuration values. |
There was a problem hiding this comment.
suggestions:
- of all containing configuration settings.
- of the configuration keys and values.
doc/tutorials/crypto.md
Outdated
| Elektra can protect the following aspects of your configuration: | ||
|
|
||
| 1. confidentiality, and | ||
| 2. integrity. |
There was a problem hiding this comment.
write very shortly what this is.
doc/tutorials/crypto.md
Outdated
| The `fcrypt` plugin enables the encryption and decryption of entire configuration files, thus protecting the confidentiality of the configuration values. | ||
| `fcrypt` utilizes GnuPG (GPG) for all cryptographic operations. | ||
| The GPG key, which is used for encryption and decryption, is specified in the backend configuration under `encrypt/key`. | ||
| You MUST be in possesion of the private key, otherwise `fcrypt` will deny all operations. |
doc/tutorials/crypto.md
Outdated
| The GPG key, which is used for encryption and decryption, is specified in the backend configuration under `encrypt/key`. | ||
| You MUST be in possesion of the private key, otherwise `fcrypt` will deny all operations. | ||
|
|
||
| Let's assume your GPG private key has the ID `DDEBEF9EE2DC931701338212DAF635B17F230E8D`. |
There was a problem hiding this comment.
Please explain how to find out.
doc/tutorials/crypto.md
Outdated
|
|
||
| The `fcrypt` plugin enables the encryption and decryption of entire configuration files, thus protecting the confidentiality of the configuration values. | ||
| `fcrypt` utilizes GnuPG (GPG) for all cryptographic operations. | ||
| The GPG key, which is used for encryption and decryption, is specified in the backend configuration under `encrypt/key`. |
There was a problem hiding this comment.
That is too fast. It is not clear what the tutorial is about. What is a backend configuration? (maybe avoid the term altogether)
doc/tutorials/crypto.md
Outdated
|
|
||
| kdb mount test.ini user/test crypto_gcrypt "crypto/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" base64 ini | ||
|
|
||
| We recommend adding the `base64` plugin to the backend, because `crypto` will output binary data. |
There was a problem hiding this comment.
Why not recommend it in the contract? Then simply pass --with-recommends in the command above.
doc/tutorials/crypto.md
Outdated
|
|
||
| We recommend adding the `base64` plugin to the backend, because `crypto` will output binary data. | ||
| Having binary data in configuration files is hardly ever feasible. | ||
| `base64` encodes all binary values within a configuration file and transforms them into Base64 strings. |
There was a problem hiding this comment.
Small example: what are base64 strings
doc/tutorials/crypto.md
Outdated
| If the value is equal to `1`, the value of the Key will be encrypted. | ||
|
|
||
| Let's demonstrate this using an example. | ||
| We want to protect the password, that is stored under `user/test/password`. |
There was a problem hiding this comment.
Again: a more concrete example would be more interesting.
doc/tutorials/crypto.md
Outdated
| We want to protect the password, that is stored under `user/test/password`. | ||
| So we set the meta-key as follows: | ||
|
|
||
| kdb setmeta user/test/password crypto/encrypt 1 |
There was a problem hiding this comment.
Does it also work if you do everything with cascading keys (without user). (And thus writing to spec)
| You can disable the encryption by setting `crypto/encrypt` to a value other than `1`, for example: | ||
|
|
||
| kdb setmeta user/test/password crypto/encrypt 0 | ||
|
|
There was a problem hiding this comment.
Always demonstrate that what you said actually happened (cat the file or grep for the value)
|
|
||
| The GPG key we use in this tutorial has the ID `DDEBEF9EE2DC931701338212DAF635B17F230E8D`. | ||
|
|
||
| A GPG private key is mandatory for the plugins to work. |
There was a problem hiding this comment.
Also for checking signatures?
|
|
||
| gpg2 --generate-key | ||
|
|
||
| The `fcrypt` plugin and the `crypto` plugin support both versions (version 1 and version 2) of GPG. |
There was a problem hiding this comment.
Is it possible to intermix them? Which will be preferred?
There was a problem hiding this comment.
Thank you for writing the tutorial. The text looks good to me. I only noticed some minor things.
Overall I think it would make sense to use Markdown Shell Recorder syntax in the tutorial. Two benefits of this approach are:
- The reader of the tutorial sees all commands and the expected behavior of the commands.
- The build servers check that the commands work correctly.
If we use this approach, then the tutorial requires a (predetermined) cryptographic key pair. I suggest we add a randomly generated pair of public and private key to the repo. In the tutorial we can then add shell commands to import the keys via gpg at the start and commands to remove the two keys at the end. I do not know how much work that is though, since I do not use gpg that often.
doc/tutorials/crypto.md
Outdated
| In this tutorial we explain the use of the `crypto` plugin and the `fcrypt` plugin by a simple example: | ||
| We want to protect a password that is contained in an INI-file. | ||
|
|
||
| Without encryption, the file could be mounted like: |
There was a problem hiding this comment.
I am not sure if this is actually a mistake, but I would add the word “this” here:
…could be mounted like this:
.
| `fcrypt` utilizes GPG for all cryptographic operations. | ||
| The GPG key, which is used for encryption and decryption, is specified in the backend configuration under `encrypt/key`. | ||
|
|
||
| sudo kdb mount test.ini user/test fcrypt "encrypt/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" ini |
There was a problem hiding this comment.
This command fails if we start with an empty configuration:
The command kdb mount terminated unsuccessfully with the info:
Too many plugins!
The plugin sync can't be positioned at position precommit anymore.
Try to reduce the number of plugins!
Failed because precommit with 7 is larger than 6
Please report the issue at https://issues.libelektra.org/
. I would add something like this:
If the above command fails, please take a look at the
[ReadMe of the `fcrypt` plugin](https://master.libelektra.org/src/plugins/fcrypt/README.md#known-issues)..
doc/tutorials/crypto.md
Outdated
|
|
||
| The command above results in the following content of `test.ini`: | ||
|
|
||
| password = 1234 |
There was a problem hiding this comment.
I think it might also make sense to add a shell command that prints the content of test.ini here:
kdb file user/test/password | xargs cat
#> password = 1234.
doc/tutorials/crypto.md
Outdated
| ## Configuration File Signatures | ||
|
|
||
| `fcrypt` also offers the option to sign and verify configuration files, thus protecting the integrity of the configuration values. | ||
| If `sign/key` is specified in the backend configuration, `fcrypt` will forward the key ID to be used for signing the configuration file. |
There was a problem hiding this comment.
I think you can remove ”to be used” here:
…
fcryptwill forward the key ID to sign the configuration file.
.
doc/tutorials/crypto.md
Outdated
| An example backend configuration is given as follows: | ||
|
|
||
| sudo kdb mount test.ini user/test crypto_gcrypt "crypto/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" base64 ini | ||
|
|
There was a problem hiding this comment.
This line contains 4 trailing spaces (as do lines 86, 130, 134 and 143). Do your really want to add an empty line of code after the command?
doc/tutorials/crypto.md
Outdated
| 3. `crypto_botan` | ||
|
|
||
| provide the option to encrypt and decrypt single configuration values (Keys) in a Keyset. | ||
| `crypto` is using GPG for key-handling. |
There was a problem hiding this comment.
While not wrong in any shape or form, I think we should prefer active over passive voice whenever possible:
cryptouses GPG for key-handling.
.
There was a problem hiding this comment.
And to not start with a mono spaced word, you could write:
The plugin crypto uses GPG for keys.
|
Thank you both for the feedback. I will try to further improve the tutorial. How hard is it to learn the Shell-Recorder stuff? I've never used it before (but would like to try) 😄 |
I think using the Markdown Shell Recorder should be relatively easy, if you know a little bit about shell commands. While the (Markdown) Shell Recorder certainly has a lot of problems, using it for simple commands should work just fine. You can add a Markdown Shell Recorder test for the tutorial by adding the line add_msr_test (tutorial_crypto "${CMAKE_SOURCE_DIR}/doc/tutorials/crypto.md"
REQUIRED_PLUGINS crypto fcrypt)to the file , the Shell Recorder will test that
. To execute the test you can use the following command inside the build directory: ctest --output-on-failure -V -R testshell_markdown_tutorial_crypto. |
|
I would like to use the shell recorder but I see two problems here:
kdb set /sw/elektra/kdb/#0/current/plugins ""
sudo kdb set system/sw/elektra/kdb/#0/current/plugins ""
sudo kdb mount test.ini user/test fcrypt "encrypt/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" ini
kdb set user/test/password 1234
#> Create a new key user/test/password with string "1234"
kdb file user/test/password | xargs cat
kdb file user/test/password | xargs rm -f
sudo kdb umount user/test
|
|
sry I accidentally stopped your jenkinsfile build job |
|
jenkins build jenkinsfile please |
no problem |
I think we should try to not use Since Elektra already removes empty configuration files we can use kdb set /sw/elektra/kdb/#0/current/plugins ""
sudo kdb set system/sw/elektra/kdb/#0/current/plugins ""
sudo kdb mount test.ini user/test fcrypt "encrypt/key=14E8E68A868B858E6DE53044630BDC935E2CC0C7" ini
kdb set user/test/password 1234
#> Create a new key user/test/password with string "1234"
# Cleanup
kdb rm user/test/password
kdb rm /sw/elektra/kdb/#0/current/plugins
sudo kdb rm system/sw/elektra/kdb/#0/current/plugins
sudo kdb umount user/test. Please note that for the test to also work on your computer, you have to replace the key fingerprint above with the fingerprint of one of your keys. Another problem I noticed was that the tutorial contains indented code blocks. The Markdown Shell Recorder does not handle such code blocks properly! You need to move the block and the code to the left. For an example, please take a look at
Unfortunately my knowledge of GPG and especially Docker is quite limited. Maybe some of the other Elektra developers knows how to handle this situation properly. |
since the 'private' key does not have to be really private it is trivial to add it to the container. |
|
Btw. if the docu of the shell recorder has problems it would be great to get fixes there, too. |
|
Is |
petermax2
force-pushed
the
crypto-tutorial
branch
from
2e8d8e5 to
4bb95aa
Compare
|
No it isn't. Do you really need to bake it into the docker file? Can you not run gpg --import path-to-key-in-repo somewhere in the tutorial? |
|
No, they were broken since a long time but nobody fixed or disabled them. I disabled them now. #1963 and #1964 will reintroduce them (as Jenkinsfile). @petermax2 There are open issues about fcrypt/crypto described in #1973 |
|
I am afraid that the build server is not able to successfully run the tutorial with shell recorder, curl was not available. I installed curl on some of the machines but I am not sure if I got all. Maybe using wget is more easily available. We already use it in the link checker. (the curlget plugin only uses libcurl but does not need the tool curl) But why not directly include the private key in the repo and avoid fetching remote content at all? |
|
Travis fails too but for a different reason: password = 1234 https://travis-ci.org/ElektraInitiative/libelektra/jobs/377887442 |
|
jenkins build all please |
|
Btw. if all of the failing jobs are problems of the build servers (and not bugs in the tutorial), we can include the tutorial without executing shell recorder for this release. But please have a look what the build servers say. |
|
Thank you! Looks much more robust now! |
|
jenkins build all please |
I hope the relative path works for all build environments. |
doc/tutorials/crypto.md
Outdated
| We **DO NOT RECOMMEND** to use our key on your local machine, as it is available to the public! | ||
|
|
||
| ```sh | ||
| gpg --import ../../src/plugins/crypto/test_key.asc |
There was a problem hiding this comment.
I think the correct path should be src/plugins/crypto/test_key.asc. The Shell Recorder uses the root of the repo as working directory.
|
jenkins build all please |
If gpg2 is available, fcrypt and crypto will prefer v2. On build servers where v2 is available, the shell recorder will most likely fail, if we import the test key solely for v1.
|
jenkins build all please |
|
@markus2330 it seems like neither returned with exit code EDIT: Exit code |
I do not think that is the problem. I can reproduce the failure locally, if I use cmake ..
-DKDB_DB_FILE='default.ini' \
-DKDB_DB_INIT='elektra.ini' \
-DKDB_DEFAULT_STORAGE=ini. Everything works fine if I use Edit: Corrected value for |
|
@sanssecours thank you for your help! we should definetly investigate this issue further, but not within the scope of this PR. Does everyone agree? |
doc/tutorials/crypto.md
Outdated
|
|
||
| ```sh | ||
| gpg2 --import src/plugins/crypto/test_key.asc || gpg --import src/plugins/crypto/test_key.asc | ||
| echo "trust-model always" > ~/.gnupg/gpg.conf |
There was a problem hiding this comment.
I think this line is quite dangerous. This command just overwrote my local GPG configuration.
|
@sanssecours I agree. It's fine on the build server but nothing one should execute locally. I will disable the MSR check until the existing issues are resolved. |
|
hmm the msr test for crypto should probably set HOME to a tmpdir so no overwrite of config can happen on dev machines |
|
I opened #1981 for further investigation. |
|
Thank you for creating the tutorial! Please feel free to create a new PR if you managed to successfully run it with the shell recorder. |
Purpose
Add crypto tutorial, as requested in #1948 .
Please feel free to critisize, add ideas, give feedback, improve, etc. etc.
TODO
Checklist
@markus2330 please review my pull request