How to deal with sensitive data

[rogeriochaves]

Does kickstart have a recommendation or helpers for dealing with sensitive data? If not, should it?

I suggest to use gpg, like this:

gpg --symmetric --cipher-algo aes256 id_rsa

And then decrypt it like this:

gpg --decrypt --passphrase "$KICKSTART_DECRYPT_KEY" files/.ssh/id_rsa.gpg

Where KICKSTART_DECRYPT_KEY could be in the environment or read from the user at runtime

cough much easier than chef knife data bag shenanigans cough

[bltavares]

Hey @rogeriochaves,

Thanks for the idea. I think there could be a gpg helper module with those patterns. I'm not sure if aes256 is the best option as I'm not an specialist on this.

It is already possible to read a value interactively over the tunnel, so using a read -p KEY on the script would be enough to have it available on the target host. There is an example of requesting a value on tty.space