From db0a8e31099e6839f4ccb1d194a548b254812a2f Mon Sep 17 00:00:00 2001 From: Peter Nirschl Date: Sun, 6 May 2018 17:56:32 +0200 Subject: [PATCH 01/16] crypto: add tutorial See #1948 --- doc/tutorials/crypto.md | 106 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 doc/tutorials/crypto.md diff --git a/doc/tutorials/crypto.md b/doc/tutorials/crypto.md new file mode 100644 index 00000000000..e84468a3ad3 --- /dev/null +++ b/doc/tutorials/crypto.md @@ -0,0 +1,106 @@ +# Cryptographic Methods in Elektra + +Elektra can protect the following aspects of your configuration: + +1. confidentiality, and +2. integrity. + +Elektra provides two plugins to achieve this protection: + +1. `crypto`, and +2. `fcrypt`. + +## Configuration File Encryption/Decryption + +The `fcrypt` plugin enables the encryption and decryption of entire configuration files, thus protecting the confidentiality of the configuration values. +`fcrypt` utilizes GnuPG (GPG) for all cryptographic operations. +The GPG key, which is used for encryption and decryption, is specified in the backend configuration under `encrypt/key`. +You MUST be in possesion of the private key, otherwise `fcrypt` will deny all operations. + +Let's assume your GPG private key has the ID `DDEBEF9EE2DC931701338212DAF635B17F230E8D`. +If you want to encrypt your configuration file `test.ini` you can mount the backend under `user/test` like this: + + kdb mount test.ini user/test fcrypt "encrypt/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" ini + +As a result the file `test.ini` is encrypted using GnuPG. +`fcrypt` will call the `gpg2` or `gpg` binary as follows: + + gpg2 -o test.ini -a -r DDEBEF9EE2DC931701338212DAF635B17F230E8D -e test.ini.tmp + +Note that `test.ini` can not only be decrypted by Elektra, but it is also possible to decrypt it with GnuPG directly, as long as you are in possesion of the private key. + +## Configuration File Signatures + +`fcrypt` also offers the option to sign and verify configuration files, thus protecting the integrity of the configuration values. +If `sign/key` is specified in the backend configuration, `fcrypt` will forward the key ID to be used for signing the configuration file. + +An example backend configuration is given as follows: + + kdb mount test.ini user/test fcrypt "sign/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" ini + +As a result the file `test.ini` will be signed using GPG. +`fcrypt` will call the `gpg2` or `gpg` binary as follows: + + gpg2 -o test.ini -a -u DDEBEF9EE2DC931701338212DAF635B17F230E8D -r DDEBEF9EE2DC931701338212DAF635B17F230E8D -s test.ini.tmp + +If `test.ini` is modified, all following calls of `kdb get` will fail with an error message stating that the signature of the file could not be verified. + +### Combining Signatures and Encryption + +The options `sign/key` and `encrypt/key` can be combined together, resulting in configuration files, that are signed and encrypted. + +## Configuration Value Encryption/Decryption + +The compilation variants of the `crypto` plugin: + +1. `crypto_gcrypt`, +2. `crypto_openssl`, and +3. `crypto_botan` + +provide the option to encrypt and decrypt single configuration values (Keys) in a Keyset. +`crypto` is using GPG for key-handling. + +Let's assume you want to store an encrypted password in `test.ini` but you do not want to encrypt the entire configuration file. +You can use the `crypto` plugin to solve this problem. +An example backend configuration is given as follows: + + kdb mount test.ini user/test crypto_gcrypt "crypto/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" base64 ini + +We recommend to add the `base64` plugin to the backend, because `crypto` will output binary data. +Having binary data in configuration files is hardly ever feasible. +`base64` encodes all binary values within a configuration file and transforms them into Base64 strings. + +### Marking Keys For Encryption + +To tell the `crypto` plugin which Keys it should process, the meta-key `crypto/encrypt` is used. +The `crypto` plugin searches for the meta-key `crypto/encryp`. +If the value is equal to `1`, the value of the Key will be encrypted. + +Let's demonstrate this using an example. +We want to protect the password, that is stored under `user/test/password`. +So we set the meta-key as follows: + + kdb setmeta user/test/password crypto/encrypt 1 + +Now we are safe to set the actual password: + + kdb set user/test/password "1234" + +The resulting INI-file contains the following data: + + #@META crypto/encrypt = 1 + password = @BASE64IyFjcnlwdG8wMBEAAADwPI+lqp+X2b6BIfLdRYgwxmAhVUPurqkQVAI78Pn4OYONbei4NfykMPvx9C9w91KT + +You can access the password as usual with `kdb get`: + + kdb get user/test/password + +As a result you get "1234". + +### Disabling Encryption + +You can disable the encryption by setting `crypto/encrypt` to a value other than `1`, for example: + + kdb setmeta user/test/password crypto/encrypt 0 + + From ef60fd5c03bb5e9ed8a7f59241d8127313049bf9 Mon Sep 17 00:00:00 2001 From: Peter Nirschl Date: Sun, 6 May 2018 18:00:38 +0200 Subject: [PATCH 02/16] crypto: tutorial correction --- doc/tutorials/crypto.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/tutorials/crypto.md b/doc/tutorials/crypto.md index e84468a3ad3..eee093b7f11 100644 --- a/doc/tutorials/crypto.md +++ b/doc/tutorials/crypto.md @@ -66,14 +66,14 @@ An example backend configuration is given as follows: kdb mount test.ini user/test crypto_gcrypt "crypto/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" base64 ini -We recommend to add the `base64` plugin to the backend, because `crypto` will output binary data. +We recommend adding the `base64` plugin to the backend, because `crypto` will output binary data. Having binary data in configuration files is hardly ever feasible. `base64` encodes all binary values within a configuration file and transforms them into Base64 strings. ### Marking Keys For Encryption To tell the `crypto` plugin which Keys it should process, the meta-key `crypto/encrypt` is used. -The `crypto` plugin searches for the meta-key `crypto/encryp`. +The `crypto` plugin searches for the meta-key `crypto/encrypt`. If the value is equal to `1`, the value of the Key will be encrypted. Let's demonstrate this using an example. From cd5e48ebc5b1e75840e14d73487e9574ebae44d6 Mon Sep 17 00:00:00 2001 From: Peter Nirschl Date: Sun, 6 May 2018 21:34:21 +0200 Subject: [PATCH 03/16] crypto: improve tutorial (still needs some love) --- doc/tutorials/crypto.md | 70 ++++++++++++++++++++++++++++++++++------- 1 file changed, 58 insertions(+), 12 deletions(-) diff --git a/doc/tutorials/crypto.md b/doc/tutorials/crypto.md index eee093b7f11..5729c214733 100644 --- a/doc/tutorials/crypto.md +++ b/doc/tutorials/crypto.md @@ -2,32 +2,78 @@ Elektra can protect the following aspects of your configuration: -1. confidentiality, and -2. integrity. +1. confidentiality (i.e. protection against unauthorized access), and +2. integrity (i.e. protection against unauthorized modification). Elektra provides two plugins to achieve this protection: 1. `crypto`, and 2. `fcrypt`. +## Prerequisites - GnuPG + +For the rest of this tutorial we assume that you are somewhat familiar with GnuPG (GPG). +The documentation of GnuPG can be found [here](https://gnupg.org/documentation/index.html). + +In order to find your GPG private key(s) you can use: + + gpg2 --list-secret-keys + +If GPG private keys are available, you see an output, that looks similar to this: + + sec rsa1024 2016-08-20 [SC] + DDEBEF9EE2DC931701338212DAF635B17F230E8D + uid [ultimate] Elektra Unit Tests (DO NOT USE IN PRODUCTION) + ssb rsa1024 2016-08-20 [E] + +The GPG key we use in this tutorial has the ID `DDEBEF9EE2DC931701338212DAF635B17F230E8D`. + +A GPG private key is mandatory for the plugins to work. +If you have no GPG private key available, you can generate one by entering the following command: + + gpg2 --generate-key + +The `fcrypt` plugin and the `crypto` plugin support both versions (version 1 and version 2) of GPG. + +## Introduction + +In this tutorial we explain the use of the `crypto` plugin and the `fcrypt` plugin by a simple example: +We want to protect a password that is contained in an INI-file. + +Without encryption, the file could be mounted like: + + sudo kdb mount test.ini user/test ini + +We create the password at `user/test/password`: + + kdb set user/test/password 1234 + +The command above results in the following content of `test.ini`: + + password = 1234 + +As you can see the password is stored in plain text. +In this tutorial we demonstrate two different approaches towards confidentiality: + +1. with the `fcrypt` plugin, which encrypts the entire INI-file, and +2. with the `crypto` plugin, which allows the encryption of specific key values only. + +We also show how to approach integrity with the signature features of the `fcrypt` plugin. + ## Configuration File Encryption/Decryption -The `fcrypt` plugin enables the encryption and decryption of entire configuration files, thus protecting the confidentiality of the configuration values. -`fcrypt` utilizes GnuPG (GPG) for all cryptographic operations. +The `fcrypt` plugin enables the encryption and decryption of entire configuration files, thus protecting the confidentiality of the configuration keys and values. +`fcrypt` utilizes GPG for all cryptographic operations. The GPG key, which is used for encryption and decryption, is specified in the backend configuration under `encrypt/key`. -You MUST be in possesion of the private key, otherwise `fcrypt` will deny all operations. - -Let's assume your GPG private key has the ID `DDEBEF9EE2DC931701338212DAF635B17F230E8D`. -If you want to encrypt your configuration file `test.ini` you can mount the backend under `user/test` like this: - kdb mount test.ini user/test fcrypt "encrypt/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" ini + sudo kdb mount test.ini user/test fcrypt "encrypt/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" ini As a result the file `test.ini` is encrypted using GnuPG. `fcrypt` will call the `gpg2` or `gpg` binary as follows: gpg2 -o test.ini -a -r DDEBEF9EE2DC931701338212DAF635B17F230E8D -e test.ini.tmp -Note that `test.ini` can not only be decrypted by Elektra, but it is also possible to decrypt it with GnuPG directly, as long as you are in possesion of the private key. +Note that `test.ini` can not only be decrypted by Elektra, but it is also possible to decrypt it with GnuPG directly. ## Configuration File Signatures @@ -36,7 +82,7 @@ If `sign/key` is specified in the backend configuration, `fcrypt` will forward t An example backend configuration is given as follows: - kdb mount test.ini user/test fcrypt "sign/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" ini + sudo kdb mount test.ini user/test fcrypt "sign/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" ini As a result the file `test.ini` will be signed using GPG. `fcrypt` will call the `gpg2` or `gpg` binary as follows: @@ -64,7 +110,7 @@ Let's assume you want to store an encrypted password in `test.ini` but you do no You can use the `crypto` plugin to solve this problem. An example backend configuration is given as follows: - kdb mount test.ini user/test crypto_gcrypt "crypto/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" base64 ini + sudo kdb mount test.ini user/test crypto_gcrypt "crypto/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" base64 ini We recommend adding the `base64` plugin to the backend, because `crypto` will output binary data. Having binary data in configuration files is hardly ever feasible. From a484bdc3c9820a770932eba705eb01944aa6ecf2 Mon Sep 17 00:00:00 2001 From: Peter Nirschl Date: Tue, 8 May 2018 20:42:54 +0200 Subject: [PATCH 04/16] crypto: tutorial corrections --- doc/tutorials/crypto.md | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/doc/tutorials/crypto.md b/doc/tutorials/crypto.md index 5729c214733..c45c85fe0f1 100644 --- a/doc/tutorials/crypto.md +++ b/doc/tutorials/crypto.md @@ -40,7 +40,7 @@ The `fcrypt` plugin and the `crypto` plugin support both versions (version 1 and In this tutorial we explain the use of the `crypto` plugin and the `fcrypt` plugin by a simple example: We want to protect a password that is contained in an INI-file. -Without encryption, the file could be mounted like: +Without encryption, the file could be mounted like this: sudo kdb mount test.ini user/test ini @@ -74,6 +74,10 @@ As a result the file `test.ini` is encrypted using GnuPG. gpg2 -o test.ini -a -r DDEBEF9EE2DC931701338212DAF635B17F230E8D -e test.ini.tmp Note that `test.ini` can not only be decrypted by Elektra, but it is also possible to decrypt it with GnuPG directly. +You can try to decrypt `test.ini` with GPG: + + gpg2 -d test.ini + ## Configuration File Signatures @@ -95,20 +99,26 @@ If `test.ini` is modified, all following calls of `kdb get` will fail with an er The options `sign/key` and `encrypt/key` can be combined together, resulting in configuration files, that are signed and encrypted. +Mounting `test.ini` with signatures and encryption enabled can be done like this: + + sudo kdb mount test.ini user/test fcrypt "sign/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D,encrypt/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" ini + + ## Configuration Value Encryption/Decryption -The compilation variants of the `crypto` plugin: +The `crypto` plugin is actually a family of plugins and comes with three different providers: -1. `crypto_gcrypt`, -2. `crypto_openssl`, and -3. `crypto_botan` +1. `crypto_gcrypt` using `libgcrypt`, +2. `crypto_openssl` using `libcrypto`, and +3. `crypto_botan` using `Botan`. -provide the option to encrypt and decrypt single configuration values (Keys) in a Keyset. -`crypto` is using GPG for key-handling. +We recommend that you use `crypto_gcrypt` as it is the fastest variant. +The variants of the `crypto` plugin work the same internally, but use a different crypto library for cryptographic operations. -Let's assume you want to store an encrypted password in `test.ini` but you do not want to encrypt the entire configuration file. -You can use the `crypto` plugin to solve this problem. -An example backend configuration is given as follows: +The `crypto` plugins provide the option to encrypt and decrypt single configuration values (Keys) in a Keyset. +GPG is required for the key-handling. + +To follow our example of an encrypted password in `test.ini`, we first mount the INI-file with the `crypto_gcrypt` plugin enabled, like this: sudo kdb mount test.ini user/test crypto_gcrypt "crypto/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" base64 ini @@ -122,7 +132,6 @@ To tell the `crypto` plugin which Keys it should process, the meta-key `crypto/e The `crypto` plugin searches for the meta-key `crypto/encrypt`. If the value is equal to `1`, the value of the Key will be encrypted. -Let's demonstrate this using an example. We want to protect the password, that is stored under `user/test/password`. So we set the meta-key as follows: From 6b846a35477d21e73cf7eeb29130334d6813c083 Mon Sep 17 00:00:00 2001 From: Peter Nirschl Date: Tue, 8 May 2018 20:53:04 +0200 Subject: [PATCH 05/16] crypto: tutorial corrections --- doc/tutorials/crypto.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/doc/tutorials/crypto.md b/doc/tutorials/crypto.md index c45c85fe0f1..57ffd57c514 100644 --- a/doc/tutorials/crypto.md +++ b/doc/tutorials/crypto.md @@ -68,6 +68,9 @@ The GPG key, which is used for encryption and decryption, is specified in the ba sudo kdb mount test.ini user/test fcrypt "encrypt/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" ini +If the above command fails, please take a look at the +[ReadMe of the `fcrypt` plugin](https://master.libelektra.org/src/plugins/fcrypt/README.md#known-issues). + As a result the file `test.ini` is encrypted using GnuPG. `fcrypt` will call the `gpg2` or `gpg` binary as follows: @@ -82,12 +85,12 @@ You can try to decrypt `test.ini` with GPG: ## Configuration File Signatures `fcrypt` also offers the option to sign and verify configuration files, thus protecting the integrity of the configuration values. -If `sign/key` is specified in the backend configuration, `fcrypt` will forward the key ID to be used for signing the configuration file. +If `sign/key` is specified in the backend configuration, `fcrypt` will forward the key ID for signing the configuration file. An example backend configuration is given as follows: sudo kdb mount test.ini user/test fcrypt "sign/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" ini - + As a result the file `test.ini` will be signed using GPG. `fcrypt` will call the `gpg2` or `gpg` binary as follows: @@ -121,7 +124,7 @@ GPG is required for the key-handling. To follow our example of an encrypted password in `test.ini`, we first mount the INI-file with the `crypto_gcrypt` plugin enabled, like this: sudo kdb mount test.ini user/test crypto_gcrypt "crypto/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" base64 ini - + We recommend adding the `base64` plugin to the backend, because `crypto` will output binary data. Having binary data in configuration files is hardly ever feasible. `base64` encodes all binary values within a configuration file and transforms them into Base64 strings. @@ -136,11 +139,11 @@ We want to protect the password, that is stored under `user/test/password`. So we set the meta-key as follows: kdb setmeta user/test/password crypto/encrypt 1 - + Now we are safe to set the actual password: kdb set user/test/password "1234" - + The resulting INI-file contains the following data: #@META crypto/encrypt = 1 @@ -149,7 +152,7 @@ The resulting INI-file contains the following data: You can access the password as usual with `kdb get`: kdb get user/test/password - + As a result you get "1234". ### Disabling Encryption From 42e2e33c80ecf20165b0d2701d3728b5350194eb Mon Sep 17 00:00:00 2001 From: Peter Nirschl Date: Tue, 8 May 2018 21:39:16 +0200 Subject: [PATCH 06/16] crypto: tutorial - try shell recorder --- doc/tutorials/crypto.md | 33 ++++++++++++++++--- .../tutorial_wrapper/CMakeLists.txt | 2 ++ 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/doc/tutorials/crypto.md b/doc/tutorials/crypto.md index 57ffd57c514..a74158ed7e4 100644 --- a/doc/tutorials/crypto.md +++ b/doc/tutorials/crypto.md @@ -40,17 +40,30 @@ The `fcrypt` plugin and the `crypto` plugin support both versions (version 1 and In this tutorial we explain the use of the `crypto` plugin and the `fcrypt` plugin by a simple example: We want to protect a password that is contained in an INI-file. -Without encryption, the file could be mounted like this: +The following example demonstrates how the INI-file is mounted without encryption enabled. +We create the password at `user/test/password` and display the contents of `test.ini`. +*Step 1:* Mount `test.ini` + +```sh sudo kdb mount test.ini user/test ini +``` -We create the password at `user/test/password`: +*Step 2:* Set the password at `user/test/password` and display the contents of `test.ini` +```sh kdb set user/test/password 1234 + #> Create a new key user/test/password with string "1234" + kdb file user/test/password | xargs cat + #> password = 1234 +``` -The command above results in the following content of `test.ini`: +*Step 3:* (Optional) Delekte and unmount `test.ini` - password = 1234 +```sh + kdb file user/test/password | xargs rm -f + sudo kdb umount user/test +``` As you can see the password is stored in plain text. In this tutorial we demonstrate two different approaches towards confidentiality: @@ -81,6 +94,18 @@ You can try to decrypt `test.ini` with GPG: gpg2 -d test.ini +The complete procedure looks like this: + +```sh + kdb set /sw/elektra/kdb/#0/current/plugins "" + sudo kdb set system/sw/elektra/kdb/#0/current/plugins "" + sudo kdb mount test.ini user/test fcrypt "encrypt/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" ini + kdb set user/test/password 1234 + #> Create a new key user/test/password with string "1234" + kdb file user/test/password | xargs cat + kdb file user/test/password | xargs rm -f + sudo kdb umount user/test +``` ## Configuration File Signatures diff --git a/tests/shell/shell_recorder/tutorial_wrapper/CMakeLists.txt b/tests/shell/shell_recorder/tutorial_wrapper/CMakeLists.txt index 60e8241fed3..d991a9b25e8 100644 --- a/tests/shell/shell_recorder/tutorial_wrapper/CMakeLists.txt +++ b/tests/shell/shell_recorder/tutorial_wrapper/CMakeLists.txt @@ -12,5 +12,7 @@ add_msr_test (kdb-ls "${CMAKE_SOURCE_DIR}/doc/help/kdb-ls.md") add_msr_test (tutorial_validation "${CMAKE_SOURCE_DIR}/doc/tutorials/validation.md" REQUIRED_PLUGINS validation) +add_msr_test (tutorial_crypto "${CMAKE_SOURCE_DIR}/doc/tutorials/crypto.md" REQUIRED_PLUGINS crypto_gcrypt fcrypt) + # Only works with super user privileges, since it writes to `/etc/hosts`: # add_msr_test (tutorial_mount "${CMAKE_SOURCE_DIR}/doc/tutorials/mount.md") From 1e0c5e2a6385be1b40e11ffc5d7c7d032dc2c72e Mon Sep 17 00:00:00 2001 From: Peter Nirschl Date: Wed, 9 May 2018 21:02:37 +0200 Subject: [PATCH 07/16] crypto: tutorial - add shell recorder examples --- doc/tutorials/crypto.md | 104 +++++++++++++++++++++++++++++++++------- 1 file changed, 88 insertions(+), 16 deletions(-) diff --git a/doc/tutorials/crypto.md b/doc/tutorials/crypto.md index a74158ed7e4..eedc211c881 100644 --- a/doc/tutorials/crypto.md +++ b/doc/tutorials/crypto.md @@ -46,23 +46,25 @@ We create the password at `user/test/password` and display the contents of `test *Step 1:* Mount `test.ini` ```sh - sudo kdb mount test.ini user/test ini +kdb set /sw/elektra/kdb/#0/current/plugins "" +sudo kdb mount test.ini user/test ini ``` *Step 2:* Set the password at `user/test/password` and display the contents of `test.ini` ```sh - kdb set user/test/password 1234 - #> Create a new key user/test/password with string "1234" - kdb file user/test/password | xargs cat - #> password = 1234 +kdb set user/test/password 1234 +#> Create a new key user/test/password with string "1234" +kdb file user/test/password | xargs cat +#> password = 1234 ``` -*Step 3:* (Optional) Delekte and unmount `test.ini` +*Step 3:* (Optional) Cleanup ```sh - kdb file user/test/password | xargs rm -f - sudo kdb umount user/test +kdb rm user/test/password +kdb rm /sw/elektra/kdb/#0/current/plugins +sudo kdb umount user/test ``` As you can see the password is stored in plain text. @@ -97,14 +99,19 @@ You can try to decrypt `test.ini` with GPG: The complete procedure looks like this: ```sh - kdb set /sw/elektra/kdb/#0/current/plugins "" - sudo kdb set system/sw/elektra/kdb/#0/current/plugins "" - sudo kdb mount test.ini user/test fcrypt "encrypt/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" ini - kdb set user/test/password 1234 - #> Create a new key user/test/password with string "1234" - kdb file user/test/password | xargs cat - kdb file user/test/password | xargs rm -f - sudo kdb umount user/test +kdb set /sw/elektra/kdb/#0/current/plugins "" +sudo kdb mount test.ini user/test fcrypt "encrypt/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" ini +kdb set user/test/password 1234 +#> Create a new key user/test/password with string "1234" +kdb file user/test/password | xargs cat +``` + +To clean up the environment we run: + +```sh +kdb rm user/test/password +kdb rm /sw/elektra/kdb/#0/current/plugins +sudo kdb umount user/test ``` ## Configuration File Signatures @@ -123,6 +130,24 @@ As a result the file `test.ini` will be signed using GPG. If `test.ini` is modified, all following calls of `kdb get` will fail with an error message stating that the signature of the file could not be verified. +The complete example looks like this: + +```sh +kdb set /sw/elektra/kdb/#0/current/plugins "" +sudo kdb mount test.ini user/test fcrypt "sign/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" ini +kdb set user/test/password 1234 +#> Create a new key user/test/password with string "1234" +kdb file user/test/password | xargs cat +``` + +To clean up the environment we run: + +```sh +kdb rm user/test/password +kdb rm /sw/elektra/kdb/#0/current/plugins +sudo kdb umount user/test +``` + ### Combining Signatures and Encryption The options `sign/key` and `encrypt/key` can be combined together, resulting in configuration files, that are signed and encrypted. @@ -131,6 +156,24 @@ Mounting `test.ini` with signatures and encryption enabled can be done like this sudo kdb mount test.ini user/test fcrypt "sign/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D,encrypt/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" ini +The complete example looks like this: + +```sh +kdb set /sw/elektra/kdb/#0/current/plugins "" +sudo kdb mount test.ini user/test fcrypt "sign/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D,encrypt/key" ini +kdb set user/test/password 1234 +#> Create a new key user/test/password with string "1234" +kdb file user/test/password | xargs cat +``` + +To clean up the environment we run: + +```sh +kdb rm user/test/password +kdb rm /sw/elektra/kdb/#0/current/plugins +sudo kdb umount user/test +``` + ## Configuration Value Encryption/Decryption @@ -186,4 +229,33 @@ You can disable the encryption by setting `crypto/encrypt` to a value other than kdb setmeta user/test/password crypto/encrypt 0 +### Complete Example + +The complete example looks like this: + +```sh +kdb set /sw/elektra/kdb/#0/current/plugins "" +sudo kdb mount test.ini user/test crypto_gcrypt "crypto/key=DDEBEF9EE2DC931701338212DAF635B17F230E8D" base64 ini +kdb setmeta user/test/password crypto/encrypt 1 +kdb file user/test/password | xargs cat +kdb set user/test/password 1234 +#> Set string to "1234" +kdb file user/test/password | xargs cat +``` + +To disable encryption, we can run: + +```sh +kdb setmeta user/test/password crypto/encrypt 0 +kdb file user/test/password | xargs cat +# STDOUT-REGEX: *password = 1234* +``` + +To clean up the environment we run: + +```sh +kdb rm user/test/password +kdb rm /sw/elektra/kdb/#0/current/plugins +sudo kdb umount user/test +``` From fab1b5aea9e8188ba65778771794d1b984ca5f2b Mon Sep 17 00:00:00 2001 From: Peter Nirschl Date: Fri, 11 May 2018 20:19:38 +0200 Subject: [PATCH 08/16] crypto: tutorial - minor improvement --- doc/tutorials/crypto.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/tutorials/crypto.md b/doc/tutorials/crypto.md index eedc211c881..b9e3db26212 100644 --- a/doc/tutorials/crypto.md +++ b/doc/tutorials/crypto.md @@ -177,6 +177,10 @@ sudo kdb umount user/test ## Configuration Value Encryption/Decryption +So far we learned how to encrypt and decrypt entrie configuration files. +Sometimes we only want to protect a smaller subset of configuration values in a bigger configuration setting. +For this reason the `crypto` plugin was developed. + The `crypto` plugin is actually a family of plugins and comes with three different providers: 1. `crypto_gcrypt` using `libgcrypt`, @@ -240,10 +244,12 @@ kdb setmeta user/test/password crypto/encrypt 1 kdb file user/test/password | xargs cat kdb set user/test/password 1234 #> Set string to "1234" +kdb set user/test/config "I am not encrypted" +#> Create a new key user/test/config with string "I am not encrypted" kdb file user/test/password | xargs cat ``` -To disable encryption, we can run: +To disable encryption on `user/test/password`, we can run: ```sh kdb setmeta user/test/password crypto/encrypt 0 @@ -254,6 +260,7 @@ kdb file user/test/password | xargs cat To clean up the environment we run: ```sh +kdb rm user/test/config kdb rm user/test/password kdb rm /sw/elektra/kdb/#0/current/plugins sudo kdb umount user/test From 4bb95aad0a662412bf43321c6087c74c5fcb78b1 Mon Sep 17 00:00:00 2001 From: Peter Nirschl Date: Fri, 11 May 2018 21:10:28 +0200 Subject: [PATCH 09/16] Docker: add GPG key for crypto/fcrypt unit tests --- doc/docker/jenkinsnode/test_key.asc | 34 +++++++++++++++++++++++++++ scripts/docker/jenkinsnode/Dockerfile | 10 +++++++- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 doc/docker/jenkinsnode/test_key.asc diff --git a/doc/docker/jenkinsnode/test_key.asc b/doc/docker/jenkinsnode/test_key.asc new file mode 100644 index 00000000000..9f8cb39b14b --- /dev/null +++ b/doc/docker/jenkinsnode/test_key.asc @@ -0,0 +1,34 @@ +-----BEGIN PGP PRIVATE KEY BLOCK----- +Version: GnuPG v1 + +lQHYBFe4kM8BBACzyI/zUQJdC/kDKII/jeTKb8ek8zlgXJzlw6KpNnJfGRQWun/l +NglaUTw1ZMpkEOxq/5NYDJBM5YV13tmqhWFO9/x/kn4Zbgj+z4w/AUpJQftVuzFf +FchP6qGjiVtgdZqkdodG5zAcTzeYSkJa89cCDmXfN13o7JypjcDehkWiJwARAQAB +AAP5Ad8aZBIH0ESYFTqOR6hrz/UAJpffzes3HD0yASx9s2mBpHkmUCCEw/Yladxu +vSW1STfbbbFwO454GhUgPgzZ18kB46qILg4LYduRoYtRwgEOtBao+it8REoHB6uo +BcA47ZJWEswmxAsKDzEI14aAybTeXSB+Tjma9h7czBl7OEECAMQK8QzH8M6epcd/ +iHPjNvvbYnXygJlJEs1wl4tknsQStX4x6zba7L8e9GxsWGP9dLpCrTqE8xKWi6Fp +SufxBq8CAOrEm7TMyWSr7VrLlizEos/y/cQYXbqfrX5X73dTH1RMji7V2ZpmH7V/ +tDeMazWBv+g1IBI9rFZTmnys2s9zegkCAJFvyWAjrb5+d8xI2IHDwQJR9pi0Y+fy +aUsADdCiQY2qK+c3m+8ZuPegO6rMoai5L4fKwkKLwghRrr6+oH+NrFeg8LRJRWxl +a3RyYSBVbml0IFRlc3RzIChETyBOT1QgVVNFIElOIFBST0RVQ1RJT04pIDx1bml0 +LXRlc3RzQGxpYmVsZWt0cmEub3JnPoi4BBMBAgAiBQJXuJDPAhsDBgsJCAcDAgYV +CAIJCgsEFgIDAQIeAQIXgAAKCRDa9jWxfyMOjS7IA/9MI+MR5uIPEa60gIEe0AUj +CtWdATEqCTSrd5JBJIRITjq1/nTJKBVrfXGX7v8kVKYmVzu512gzAw5ig9cs8hEQ +UvD+dxdOOTCG48Tt/kZSmJyH82iGVO7EVMMqO/OPHCmuRFGFWcqCcIPksyQ0UF2w +IhZIzFyMIvBvaqp1bfUkoZ0B2ARXuJDPAQQA3ukLaGEKYttR0Z3K88S1eAZkPfgZ +E6ZOGpSCaA+Q4Bkb/toitJ/VGWdyMsqX1oFyuz+uCJ2OZYAtkMB+yOrCX3UsKHXp +m5NO6t7mGwpVbObp+5Gh0adZLGfHYLviTLcqZ/+OYMt6mrU00EF437PFmzW8CS3e +aOL44M52LoRoDY8AEQEAAQAD/ivAo0gUEAVSVg9mQOEzAYly+7b8HPPx5w+piaUi +NQX/d7LAnyJD4wBvAQe+Iypr0xi0yZSQVFRQ4eCxH9GQ3qCfI0wmkB0Ml8HyIzCu +idt46Zedjloc2KUToPjn+GoK+qe9f0wiP0DleI/7N6SA4QQK0AKdqWFvqDdr1gKr +4mHFAgDp1lteVv/Yc4B2/ONPNyQWEPv5qz1QNm91BUihj/TBRk3eK90ra5qChDS6 +ei772ObXll9vgmDE9zzlGkm5axINAgD0CZBGzZfstq/krefSoYDVIAkS2CCNA2Ul ++6r3I8jIbr1q1GgSL0ccmawZeckEeXfDCRstayooV5KJZXndkKMLAf4mHFWhLZjj ++6ae4wg7g1CnFobeQ4NUsCSYNMmvDOiDcKnFXAd1jEzA5XMmzTl3oRkhPz1FGUha +hQWGvQ1HmSqnm+aInwQYAQIACQUCV7iQzwIbDAAKCRDa9jWxfyMOjUelA/9p5yi2 +8CM+c/3YwnpNIxJwsiva/sxi+eMa8lmZEZTJDK/cweAayUla5DXlA+rCrElTDylX +9jXhbDZhkfiWjkibCPsuY+7x/neOZnIO1VtPs24vS6k94q4lSgC/RzN2fbyvspQW +nLQ46C61YPgQxaQQThWk50t/E/H2iA78kCXRbQ== +=xCA8 +-----END PGP PRIVATE KEY BLOCK----- diff --git a/scripts/docker/jenkinsnode/Dockerfile b/scripts/docker/jenkinsnode/Dockerfile index 08ca10a6e82..e369b9ea082 100644 --- a/scripts/docker/jenkinsnode/Dockerfile +++ b/scripts/docker/jenkinsnode/Dockerfile @@ -41,7 +41,8 @@ RUN apt-get -y install \ openssh-server \ maven \ git \ - libcurl4-gnutls-dev + libcurl4-gnutls-dev \ + gnupg2 RUN apt-get clean && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* @@ -69,6 +70,13 @@ USER jenkins RUN cabal update USER root +# install the GPG test key that is used for the crypto and fcrypt unit tests +COPY test_key.asc /home/jenkins/test_key.asc +USER jenkins +RUN gpg2 --import /home/jenkins/test_key.asc && rm /home/jenkins/test_key.asc +RUN echo "trust-model always" >> /home/jenkins/.gnupg/gpg.conf +USER root + # setup the run- utilities COPY run-make /usr/local/bin/run-make COPY run-make-env /usr/local/bin/run-make-env From 6cecc56143e371325ac154544f26e2bb20b5a57d Mon Sep 17 00:00:00 2001 From: Peter Nirschl Date: Fri, 11 May 2018 21:23:36 +0200 Subject: [PATCH 10/16] Revert "Docker: add GPG key for crypto/fcrypt unit tests" This reverts commit 4bb95aad0a662412bf43321c6087c74c5fcb78b1. --- doc/docker/jenkinsnode/test_key.asc | 34 --------------------------- scripts/docker/jenkinsnode/Dockerfile | 10 +------- 2 files changed, 1 insertion(+), 43 deletions(-) delete mode 100644 doc/docker/jenkinsnode/test_key.asc diff --git a/doc/docker/jenkinsnode/test_key.asc b/doc/docker/jenkinsnode/test_key.asc deleted file mode 100644 index 9f8cb39b14b..00000000000 --- a/doc/docker/jenkinsnode/test_key.asc +++ /dev/null @@ -1,34 +0,0 @@ ------BEGIN PGP PRIVATE KEY BLOCK----- -Version: GnuPG v1 - -lQHYBFe4kM8BBACzyI/zUQJdC/kDKII/jeTKb8ek8zlgXJzlw6KpNnJfGRQWun/l -NglaUTw1ZMpkEOxq/5NYDJBM5YV13tmqhWFO9/x/kn4Zbgj+z4w/AUpJQftVuzFf -FchP6qGjiVtgdZqkdodG5zAcTzeYSkJa89cCDmXfN13o7JypjcDehkWiJwARAQAB -AAP5Ad8aZBIH0ESYFTqOR6hrz/UAJpffzes3HD0yASx9s2mBpHkmUCCEw/Yladxu -vSW1STfbbbFwO454GhUgPgzZ18kB46qILg4LYduRoYtRwgEOtBao+it8REoHB6uo -BcA47ZJWEswmxAsKDzEI14aAybTeXSB+Tjma9h7czBl7OEECAMQK8QzH8M6epcd/ -iHPjNvvbYnXygJlJEs1wl4tknsQStX4x6zba7L8e9GxsWGP9dLpCrTqE8xKWi6Fp -SufxBq8CAOrEm7TMyWSr7VrLlizEos/y/cQYXbqfrX5X73dTH1RMji7V2ZpmH7V/ -tDeMazWBv+g1IBI9rFZTmnys2s9zegkCAJFvyWAjrb5+d8xI2IHDwQJR9pi0Y+fy -aUsADdCiQY2qK+c3m+8ZuPegO6rMoai5L4fKwkKLwghRrr6+oH+NrFeg8LRJRWxl -a3RyYSBVbml0IFRlc3RzIChETyBOT1QgVVNFIElOIFBST0RVQ1RJT04pIDx1bml0 -LXRlc3RzQGxpYmVsZWt0cmEub3JnPoi4BBMBAgAiBQJXuJDPAhsDBgsJCAcDAgYV -CAIJCgsEFgIDAQIeAQIXgAAKCRDa9jWxfyMOjS7IA/9MI+MR5uIPEa60gIEe0AUj -CtWdATEqCTSrd5JBJIRITjq1/nTJKBVrfXGX7v8kVKYmVzu512gzAw5ig9cs8hEQ -UvD+dxdOOTCG48Tt/kZSmJyH82iGVO7EVMMqO/OPHCmuRFGFWcqCcIPksyQ0UF2w -IhZIzFyMIvBvaqp1bfUkoZ0B2ARXuJDPAQQA3ukLaGEKYttR0Z3K88S1eAZkPfgZ -E6ZOGpSCaA+Q4Bkb/toitJ/VGWdyMsqX1oFyuz+uCJ2OZYAtkMB+yOrCX3UsKHXp -m5NO6t7mGwpVbObp+5Gh0adZLGfHYLviTLcqZ/+OYMt6mrU00EF437PFmzW8CS3e -aOL44M52LoRoDY8AEQEAAQAD/ivAo0gUEAVSVg9mQOEzAYly+7b8HPPx5w+piaUi -NQX/d7LAnyJD4wBvAQe+Iypr0xi0yZSQVFRQ4eCxH9GQ3qCfI0wmkB0Ml8HyIzCu -idt46Zedjloc2KUToPjn+GoK+qe9f0wiP0DleI/7N6SA4QQK0AKdqWFvqDdr1gKr -4mHFAgDp1lteVv/Yc4B2/ONPNyQWEPv5qz1QNm91BUihj/TBRk3eK90ra5qChDS6 -ei772ObXll9vgmDE9zzlGkm5axINAgD0CZBGzZfstq/krefSoYDVIAkS2CCNA2Ul -+6r3I8jIbr1q1GgSL0ccmawZeckEeXfDCRstayooV5KJZXndkKMLAf4mHFWhLZjj -+6ae4wg7g1CnFobeQ4NUsCSYNMmvDOiDcKnFXAd1jEzA5XMmzTl3oRkhPz1FGUha -hQWGvQ1HmSqnm+aInwQYAQIACQUCV7iQzwIbDAAKCRDa9jWxfyMOjUelA/9p5yi2 -8CM+c/3YwnpNIxJwsiva/sxi+eMa8lmZEZTJDK/cweAayUla5DXlA+rCrElTDylX -9jXhbDZhkfiWjkibCPsuY+7x/neOZnIO1VtPs24vS6k94q4lSgC/RzN2fbyvspQW -nLQ46C61YPgQxaQQThWk50t/E/H2iA78kCXRbQ== -=xCA8 ------END PGP PRIVATE KEY BLOCK----- diff --git a/scripts/docker/jenkinsnode/Dockerfile b/scripts/docker/jenkinsnode/Dockerfile index e369b9ea082..08ca10a6e82 100644 --- a/scripts/docker/jenkinsnode/Dockerfile +++ b/scripts/docker/jenkinsnode/Dockerfile @@ -41,8 +41,7 @@ RUN apt-get -y install \ openssh-server \ maven \ git \ - libcurl4-gnutls-dev \ - gnupg2 + libcurl4-gnutls-dev RUN apt-get clean && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* @@ -70,13 +69,6 @@ USER jenkins RUN cabal update USER root -# install the GPG test key that is used for the crypto and fcrypt unit tests -COPY test_key.asc /home/jenkins/test_key.asc -USER jenkins -RUN gpg2 --import /home/jenkins/test_key.asc && rm /home/jenkins/test_key.asc -RUN echo "trust-model always" >> /home/jenkins/.gnupg/gpg.conf -USER root - # setup the run- utilities COPY run-make /usr/local/bin/run-make COPY run-make-env /usr/local/bin/run-make-env From 00481d30568c6cd1b0903dcf53dd1b23825cd7b4 Mon Sep 17 00:00:00 2001 From: Peter Nirschl Date: Fri, 11 May 2018 21:34:31 +0200 Subject: [PATCH 11/16] crypto: tutorial - download and install the Elektra key --- doc/tutorials/crypto.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/doc/tutorials/crypto.md b/doc/tutorials/crypto.md index b9e3db26212..56c1e955787 100644 --- a/doc/tutorials/crypto.md +++ b/doc/tutorials/crypto.md @@ -35,6 +35,16 @@ If you have no GPG private key available, you can generate one by entering the f The `fcrypt` plugin and the `crypto` plugin support both versions (version 1 and version 2) of GPG. +In order to set up our tutorial we import the Elektra test key. +We **DO NOT RECOMMEND** to use our key on your local machine, as it is available to the public! + +```sh +curl -o test_key.asc https://raw.githubusercontent.com/ElektraInitiative/libelektra/master/src/plugins/crypto/test_key.asc +gpg2 --import test_key.asc +echo "trust-model always" > ~/.gnupg/gpg.conf +rm test_key.asc +``` + ## Introduction In this tutorial we explain the use of the `crypto` plugin and the `fcrypt` plugin by a simple example: From 9019088fde15457b7144574175380027fa6a9eaa Mon Sep 17 00:00:00 2001 From: Peter Nirschl Date: Fri, 11 May 2018 21:48:40 +0200 Subject: [PATCH 12/16] crypto: tutorial - use gpg v1 --- doc/tutorials/crypto.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/tutorials/crypto.md b/doc/tutorials/crypto.md index 56c1e955787..254853cb3c2 100644 --- a/doc/tutorials/crypto.md +++ b/doc/tutorials/crypto.md @@ -40,7 +40,7 @@ We **DO NOT RECOMMEND** to use our key on your local machine, as it is available ```sh curl -o test_key.asc https://raw.githubusercontent.com/ElektraInitiative/libelektra/master/src/plugins/crypto/test_key.asc -gpg2 --import test_key.asc +gpg --import test_key.asc echo "trust-model always" > ~/.gnupg/gpg.conf rm test_key.asc ``` From f53cbe914dcf0559087f8adff4a1df6ae850ff40 Mon Sep 17 00:00:00 2001 From: Peter Nirschl Date: Sat, 12 May 2018 08:32:04 +0200 Subject: [PATCH 13/16] crypto: fix tutorial - try importing the GPG key from the repo --- doc/tutorials/crypto.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/doc/tutorials/crypto.md b/doc/tutorials/crypto.md index 254853cb3c2..607dd945cd8 100644 --- a/doc/tutorials/crypto.md +++ b/doc/tutorials/crypto.md @@ -39,10 +39,8 @@ In order to set up our tutorial we import the Elektra test key. We **DO NOT RECOMMEND** to use our key on your local machine, as it is available to the public! ```sh -curl -o test_key.asc https://raw.githubusercontent.com/ElektraInitiative/libelektra/master/src/plugins/crypto/test_key.asc -gpg --import test_key.asc +gpg --import ../../src/plugins/crypto/test_key.asc echo "trust-model always" > ~/.gnupg/gpg.conf -rm test_key.asc ``` ## Introduction @@ -264,7 +262,6 @@ To disable encryption on `user/test/password`, we can run: ```sh kdb setmeta user/test/password crypto/encrypt 0 kdb file user/test/password | xargs cat -# STDOUT-REGEX: *password = 1234* ``` To clean up the environment we run: From bdbefdab9e4be60ccb096cd0e02cfaa92f33e864 Mon Sep 17 00:00:00 2001 From: Peter Nirschl Date: Sat, 12 May 2018 11:17:34 +0200 Subject: [PATCH 14/16] crypto: tutorial - fix path of GPG test key --- doc/tutorials/crypto.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/tutorials/crypto.md b/doc/tutorials/crypto.md index 607dd945cd8..5dc9bcf80a5 100644 --- a/doc/tutorials/crypto.md +++ b/doc/tutorials/crypto.md @@ -39,7 +39,7 @@ In order to set up our tutorial we import the Elektra test key. We **DO NOT RECOMMEND** to use our key on your local machine, as it is available to the public! ```sh -gpg --import ../../src/plugins/crypto/test_key.asc +gpg --import src/plugins/crypto/test_key.asc echo "trust-model always" > ~/.gnupg/gpg.conf ``` From 95dc36088ab0b1dca0e1e9b427869d20db219b7e Mon Sep 17 00:00:00 2001 From: Peter Nirschl Date: Sat, 12 May 2018 15:11:24 +0200 Subject: [PATCH 15/16] crypto: tutorial - consider gpg2 before gpg while importing the test key If gpg2 is available, fcrypt and crypto will prefer v2. On build servers where v2 is available, the shell recorder will most likely fail, if we import the test key solely for v1. --- doc/tutorials/crypto.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/tutorials/crypto.md b/doc/tutorials/crypto.md index 5dc9bcf80a5..37f09d275ed 100644 --- a/doc/tutorials/crypto.md +++ b/doc/tutorials/crypto.md @@ -39,7 +39,7 @@ In order to set up our tutorial we import the Elektra test key. We **DO NOT RECOMMEND** to use our key on your local machine, as it is available to the public! ```sh -gpg --import src/plugins/crypto/test_key.asc +gpg2 --import src/plugins/crypto/test_key.asc || gpg --import src/plugins/crypto/test_key.asc echo "trust-model always" > ~/.gnupg/gpg.conf ``` From 3bae912e9040cd448b2be05763ce33fef5ecf8c5 Mon Sep 17 00:00:00 2001 From: Peter Nirschl Date: Sat, 12 May 2018 16:43:28 +0200 Subject: [PATCH 16/16] crypto: disable MSR check for tutorial --- doc/tutorials/crypto.md | 8 -------- .../shell/shell_recorder/tutorial_wrapper/CMakeLists.txt | 2 -- 2 files changed, 10 deletions(-) diff --git a/doc/tutorials/crypto.md b/doc/tutorials/crypto.md index 37f09d275ed..3881eb8dc08 100644 --- a/doc/tutorials/crypto.md +++ b/doc/tutorials/crypto.md @@ -35,14 +35,6 @@ If you have no GPG private key available, you can generate one by entering the f The `fcrypt` plugin and the `crypto` plugin support both versions (version 1 and version 2) of GPG. -In order to set up our tutorial we import the Elektra test key. -We **DO NOT RECOMMEND** to use our key on your local machine, as it is available to the public! - -```sh -gpg2 --import src/plugins/crypto/test_key.asc || gpg --import src/plugins/crypto/test_key.asc -echo "trust-model always" > ~/.gnupg/gpg.conf -``` - ## Introduction In this tutorial we explain the use of the `crypto` plugin and the `fcrypt` plugin by a simple example: diff --git a/tests/shell/shell_recorder/tutorial_wrapper/CMakeLists.txt b/tests/shell/shell_recorder/tutorial_wrapper/CMakeLists.txt index d991a9b25e8..60e8241fed3 100644 --- a/tests/shell/shell_recorder/tutorial_wrapper/CMakeLists.txt +++ b/tests/shell/shell_recorder/tutorial_wrapper/CMakeLists.txt @@ -12,7 +12,5 @@ add_msr_test (kdb-ls "${CMAKE_SOURCE_DIR}/doc/help/kdb-ls.md") add_msr_test (tutorial_validation "${CMAKE_SOURCE_DIR}/doc/tutorials/validation.md" REQUIRED_PLUGINS validation) -add_msr_test (tutorial_crypto "${CMAKE_SOURCE_DIR}/doc/tutorials/crypto.md" REQUIRED_PLUGINS crypto_gcrypt fcrypt) - # Only works with super user privileges, since it writes to `/etc/hosts`: # add_msr_test (tutorial_mount "${CMAKE_SOURCE_DIR}/doc/tutorials/mount.md")