summaryrefslogtreecommitdiff
path: root/lib/chef/encrypted_data_bag_item.rb
Commit message (Collapse)AuthorAgeFilesLines
* Enable autodetection of encrypted data bag items.Claire McQuin2014-08-221-1/+1
|
* [CHEF-5356-gcm] Chef::EncryptedDataBagItem Version3 implementation using GCMXabier de Zuazo2014-07-011-0/+1
|
* Fix few typonishigori2014-03-261-1/+1
|
* Add documentation for Chef::EncryptedDataBag.loadSeth Vargo2014-03-141-0/+36
|
* CHEF-4441: emit reasonable error message when there is no default data bag ↵John Keiser2013-12-031-0/+3
| | | | secret
* Split EncryptedDataBagItem into multiple filesJohn Keiser2013-12-031-303/+3
|
* [CHEF-3615] Make encrypted data bag format configurabledanielsdeleo2013-04-301-2/+27
| | | | | | | | | * Add an option to configure the version used when encrypting data bag items. This allows users to opt-in to newer encrypted data bag formats while the default remains compatible with earlier chef versions. * Add an option to set a minimum valid encrypted data bag item format. This is useful on the client so that, for example, a MITM attacker cannot downgrade a v2 EDBI to v1.
* [CHEF-3615] version 2 encryptor/decryptor for EDBIsdanielsdeleo2013-04-301-86/+121
| | | | | | | | | | | | | | | | Authenticated encryption data bag items will be version 2 of the encrypted data bag item format instead of tacked on to the version 1 format. Authenticated encryption via OpenSSL cipher was considered, but older openssl versions do not have, e.g., aes-256-gcm, so we are implementing encrypt-then-mac with hmac-sha256 on top of existing aes cipher. Code passes tests but is not yet exposed in configuration. TODO: * Allow user to set desired version for encrypt. * Allow user to set minimum required version for decrypt. Without this change, a MITM could simply change the format version to 1 to bypass the hmac.
* [CHEF-3858] ensure invalid key always fails to decryptdanielsdeleo2013-04-301-1/+29
| | | | | | | | | | In Ci, we occasionally see test failures when decryption with an incorrect key does not raise an error, but instead returns garbage. This fixes that issue by adding an HMAC-SHA2-256 of the encrypted data to the version 1 format. For backwards compatibility, decryption will continue if the hmac is missing; therefore, this does not increase the security of encrypted data bag items.
* [CHEF-3858] rescue bad json errors and re-raise as decryption failuresdanielsdeleo2013-04-261-0/+5
|
* [CHEF-4011] move default secret file path to Chef::ConfigSeth Chisamore2013-04-111-2/+1
| | | | | | | | | | * Remove references to DEFAULT_SECRET_FILE from `Chef::EncryptedDataBagItem`. * Add new `:encrypted_data_bag_secret` value to `Chef::Config` * Ensure Chef::Config[:encrypted_data_bag_secret] is nil if the secret does not exist at the default path. * Updated test coverage in `config_spec` and `encrypted_data_bag_item_spec`.
* prefer `File.exist?` to `File.exists?`Seth Chisamore2013-04-111-1/+1
| | | | File.exists? was deprecated in Ruby 1.9
* [CHEF-3616] add cipher field to edbi metadatadanielsdeleo2012-11-161-1/+16
| | | | | | Adds "cipher" to the metadata fields for encrypted data bag items. This enables user-configurable ciphers in the future. Cipher is still hard-coded to aes-256-cbc for now.
* [CHEF-3392] fix ruby 1.8 detection of version 1 formatdanielsdeleo2012-11-151-1/+1
|
* [CHEF-3392] remove unused `from_plain_hash` methoddanielsdeleo2012-11-151-4/+0
|
* [CHEF-3392] use yajl to avoid custom class inflationdanielsdeleo2012-11-151-2/+3
|
* [CHEF-3392] JSON serialize encrypted data bags, use random IVdanielsdeleo2012-11-141-21/+193
| | | | | | | * Use JSON instead of YAML to serialize encrypted data bag values before encrypting. * Use a random IV for each encrypted value for resilience against some types of crypto attacks. Fixes CHEF-3480.
* [OC-3564] move core Chef to the repo root \o/ \m/Seth Chisamore2012-10-301-0/+139
The opscode/chef repository now only contains the core Chef library code used by chef-client, knife and chef-solo!
View Lorry Controller Status