I have an existing php(7.3) script which decrypts file with gpg.
We have replaced the keys, moved from centos/ubuntu. I can decrypt from command line fine but not php script.
gpg --ignore-mdc-error --pinentry-mode loopback --passphrase some-passphrase --output file.csv --decrypt file.csv.gpg
In my PHP script
//PREPARE DECRYPT COMMAND
$process = new Process([
$this->GPGpath,
'--ignore-mdc-error',
'--quiet',
'--pinentry-mode',
'loopback',
'--passphrase',
$this->decryptPass,
'--output',
$outputFilename,
'--decrypt',
storage_path($workingDirectory.$fileToDecrypt)
],storage_path($workingDirectory));
//RUN COMMAND
$process->run();
//FINISH DECRYPT
I get the following error:
====>[11-05-22 18:49:37]Action: PGP-DECRYPT
==>DATA:
{"status":false,"CMD":"'\/usr\/bin\/gpg' '--ignore-mdc-error' '--quiet' '--pinentry-mode' 'loopback' '--passphrase' 'some-passphrase' '--output' 'file.csv' '--decrypt'
'file.csv.gpg'","EXIT_CODE":2,"EXIT_CODE_TEXT":"Misuse of shell builtins","WORKING_DIRECTORY":"working-directory","OUTPUT":"gpg: decryption failed: No secret key\n"}
What am I missing? Can anyone please help?
Related
I am trying to decrypt an encrypted string using Ansible vault. I have a key which is used for encryption. The encryption works fine but decryption doesn't seem to work. When I try to use decryption command , I am asked for vault password even though I never set any password. Below is my encryption commands
echo 'mysecretexample' > pwd
ansible-vault encrypt_string 'testencyption' --vault-id pipeline#pwd --name 'secretname'
Above WORKS FINE!!!
But below doesn't seem to work at all while decryption and asks for vault password
echo '$ANSIBLE_VAULT;1.2;AES256;pipeline
30306264643662333133656165633238646637393738663933666231393964646162306233663063
3130626266444444444449346633656234646162356235640a323339316662663966383639643064
39373933373832313762363863395555555555555555555555555866376132616262666561343130
3162366537623463330a326663393934646166623665386438636464323233323565313035643732
3662' | ansible-vault decrypt
I get the following as its not a vault enabled file.
ERROR! input is not vault encrypted data. - is not a vault encrypted file for -
Any advise would be helpful.
It's because your echo-ed text isn't the same as what some_scalar: | does in yaml; all those indentation characters will be harmonized to not having indentation characters when processed by a yaml parser
>>> from io import StringIO
>>> from yaml import safe_load
>>> print(safe_load(StringIO("""
alpha: |
hello
world
"""))["alpha"])
hello
world
Since encrypt_string is optimized for use in vars.yaml, you'll need to de-yaml-it to get what you're after:
$ echo 'mysecretexample' > pwd
$ ansible-vault encrypt_string 'testencyption' --vault-id pipeline#pwd --name 'secretname' \
| sed -e '1d; s/^ *//' \
| ansible-vault decrypt --vault-id pipeline#pwd 2>/dev/null
testencyption
I'm using ansible-vault 2.10.5. According to the encrypt_string documentation, I can use --output to save the encrypted result. The doc says:
--output <OUTPUT_FILE>
output file name for encrypt or decrypt; use - for stdout
But I tried several commands and the result seemed to always be printed to the console. For example:
ansible-vault encrypt_string --vault-id test#prompt --name my_var --output encrypted.txt my_value
I got the following output printed on the console:
New vault password (test):
Confirm new vault password (test):
my_var: !vault |
$ANSIBLE_VAULT;1.2;AES256;test
66343062376436373531313033623237393231663930383936306662393164653733636161653630
6636653035306339363065623438353338646533656639620a376365376136343232376561666266
62313936343766343333333065363634663961643234323734613135383763656536656437393431
3238306436313437320a663131653164366133356530663732633334366136306636663766353331
6635
Encryption successful
So what is the correct way of using --output option to save the encrypted content to a local file?
I'd rather put the target content to be encrypted in a file and use ansible-vault encrypt secretfile and it will enctypt the file in place.
I'm following the windows quickstart for creating a VM in azure powershell
I'm stuck here:
# Configure the SSH key
$sshPublicKey = cat ~/.ssh/id_rsa.pub
Add-AzVMSshPublicKey `
-VM $vmconfig `
-KeyData $sshPublicKey `
-Path "/home/azureuser/.ssh/authorized_keys"
First of all I think the following code is wrong, as cat returns System.String[] and running this verbatim results in
Add-AzVMSshPublicKey : Cannot convert 'System.Object[]' to the type 'System.String'
So... I instead use Get-Content "./path/to/file" -raw which just returns a string and the command runs without errors
Now when I run
New-AzVM `
-ResourceGroupName $resourceGroupName `
-Location $location -VM $vmConfig
I get the following error, meaning the keyData I set earlier wasn't set correctly.
New-AzVM : The value of parameter linuxConfiguration.ssh.publicKeys.keyData is invalid.
I've found the issue - So Azure key vault gives me a PEM public key in the form
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAO...
...
...
...
...0CS94AFAgMBAAE=
-----END PUBLIC KEY-----
Whereas the VM is expecting it in OpenSSH format
ssh-rsa ..........
I've tried to convert it with
ssh-keygen -i -m PKCS8 -f ./key.pem
but nothing gets output
UPDATE
Aaaand it's a powershell issue
First, the tutorial is a guide to create Linux VM via Azure PowerShell, not Windows. Second, the command cat just outputs the content of the file. And command $sshPublicKey = cat ~/.ssh/id_rsa.pub creates a variable in string:
The parameter -KeyData of the command Add-AzVMSshPublicKey also expect a string:
So there is no problem with the PowerShell command and all the commands work fine on my side. And the error shows the value of the key data is invalid, what you need to do is to make sure if the SSH public key is no problem.
To get this key from an Azure Key vault,
Get-AzKeyVaultKey -OutFile *filename* returns a public key in PEM Form
-----BEGIN PUBLIC KEY------
....
-----END PUBLIC KEY-----
The vm requires the key data to be a one-liner in OpenSSH format
ssh-rsa ....... mykeylabel
But Powershell's ssh-keygen, unlike its UNIX counterpart, cannot convert between these formats as it has an open bug
I was using the secrets/master.key that was there when the password was encrypted and stored to credentials.xml. But restoring the the same set of credentials.xml and master.key is not working in a new jenkins setup. I even tried to restore secret.key but that too is not working.
I also noticed the ecrypted string in is credentials.xml is also not same for same string.
I am trying to automate the jenkins setup. Is there a way I can get the encrypted password that the jenkins produce from bash?
Jenkins and its plugins usually encrypt strings using the Secret class, which (AFAICT) stores the key under ${JENKINS_HOME}/secrets/hudson.util.Secret.
I don't know of any easy standalone solution, but you can use the Jenkins Script Console (or the groovy CLI command) to attempt to decrypt secret values that you have:
import hudson.util.Secret
Secret a = Secret.fromString('my secret value')
String ciphertext = a.getEncryptedValue()
println ciphertext
// '{AQAAABAAAAAQdIQUuG2AhKoV7mCIcd3PXBdw8ItgchIrvQrQ=}'
// or similar; will change with each new secret object
Secret b = Secret.decrypt(ciphertext)
String plaintext = b.getPlainText()
println plaintext
// 'my secret value'
host=http://$JENKINS_USERNAME:$JENKINS_PASSWORD#localhost:8080
CRUMB=$(curl -s "$host"'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
encrypted_passphrase=$(curl -H "$CRUMB" -d "script=println(hudson.util.Secret.fromString('password').getEncryptedValue())" -X POST $host/scriptText)
I encrypted my .env file, and I now have a .env.enc file. How does my team decrypt this?
I got this response when I encrypted the file, and it is stored in my .travis.yml file
openssl aes-256-cbc -K $encrypted_cf94abc85bdc_key -iv $encrypted_cf94abc85bdc_iv -in .env.enc -out .env -d
I tried that on the terminal and this I just get:
iv undefined
I tried decrypting with the travis-cli:
travis encrypt-file .env.enc .env -d
I just get this:
key must be 64 characters long and a valid hex number
I tried it with the key and iv
travis encrypt-file .env.enc .env -d -K $encrypted_cf94abc85bdc_key -iv $encrypted_cf94abc85bdc_iv
I checked if the travis env variables exist, and they do:
encrypted_cf94abc85bdc_key=[secure]
encrypted_cf94abc85bdc_iv=[secure]
Your file is probably decrypted somewhere during the build on Travis. It might be easiest to add a deploy step to the build, so the .env file is uploaded to a place where you can download it yourself.
For details on how to deploy files, check this link or this one specifically for github
Here's a short sample of what I did ;)
in .travis.yml
before_install:
// Somewhere your files are being decrypted
openssl aes-256-cbc -K $encrypted_cf94abc85bdc_key -iv $encrypted_cf94abc85bdc_iv -in .env.enc -out .env -d
// Add a deploy step, which allows you which files to upload
deploy:
file:
- .env /* add the file here, so it will be pushed to github */
api_key: $apikey
on:
repo: <your github repo>
Check the output of travis encrypt-file !
Especially the first line:
encrypting <filename> for <repository name>
[..]
You need to be in the correct repo (and use --com if needed) to be sure that Travis will find the generated values it later needs.