From 26d803fba1a22c21ad04679c4d82093fa8d8dafe Mon Sep 17 00:00:00 2001
From: Konrad Bucheli <konrad.bucheli@psi.ch>
Date: Thu, 9 Mar 2023 14:46:34 +0100
Subject: [PATCH] improved password encryption documenation

---
 admin-guide/puppet/hiera.rst                  | 68 +++++++------------
 .../puppet/profiles/local_accounts.rst        |  3 +
 2 files changed, 26 insertions(+), 45 deletions(-)

diff --git a/admin-guide/puppet/hiera.rst b/admin-guide/puppet/hiera.rst
index 7b0d9006..0982a6fc 100644
--- a/admin-guide/puppet/hiera.rst
+++ b/admin-guide/puppet/hiera.rst
@@ -141,61 +141,39 @@ The eyaml public key is::
    B40J8ePbbmmGE24+zQ==
    -----END CERTIFICATE-----
 
+On the puppet server it found at ``/etc/puppetlabs/keys/eyaml/public_key.pkcs7.pem``.
 
-Assuming the public key is saved in a file named ``/home/someone/eyaml_key.pub`` and that
-`hiera-eyaml <https://github.com/TomPoulton/hiera-eyaml>`_ is properly installed,
-a string can be encripted with::
+Then you need to have ``hiera-eyaml`` tool installed, either from the package manager of your distribution or from the `source <https://github.com/TomPoulton/hiera-eyaml>`_.
 
-  eyaml encrypt --pkcs7-public-key=/home/someone/eyaml_key.pub -s secret_string
+Assuming the public key is saved in a file (e.g. ``~/eyaml_key.pub``), that the file path has been put into the environment varialbe ``EYAML_PUB_KEY``, then a string can be encripted with::
+
+  eyaml encrypt --pkcs7-public-key=$EYAML_PUB_KEY -s secret_string
 
 
 While a complete file can be encripted with::
 
-  eyaml encrypt --pkcs7-public-key=/home/someone/eyaml_key.pub -f secret_file
+  eyaml encrypt --pkcs7-public-key=$EYAML_PUB_KEY -f secret_file
+
 
 Example: Encrypting password
 ----------------------------
 
-Steps:
+First prepare the public key and the shell as explaned in above chapter.
+Then::
 
-Install locally (local = server/desktop from where you will encrypt the password) hiera-eyaml (https://github.com/voxpupuli/hiera-eyaml/tree/command-refactor)
+   # openssl passwd -6 | eyaml encrypt --pkcs7-public-key=$EYAML_PUB_KEY --stdin
+   Password: 
+   Verifying - Password: 
+   string: ENC[PKCS7,MIIBxxxxxxxx...xxxxxxxx]
 
-Create locally a *keys* directory::
-
-   #> mkdir -p ~/eyaml/keys
-
-Copy *puppet01:/etc/puppetlabs/keys/eyaml/public_key.pkcs7.pem* to the above folder. Alternatively, you can copy the above public key, which should be the same::
-
-   #> scp root@puppet01:/etc/puppetlabs/keys/eyaml/public_key.pkcs7.pem ~/eyaml/keys
-
-Go to the *eyaml* directory::
-
-   #> cd ~/eyaml
-
-Hash your password using *openssl* as follows**. It will generate a hashed password::
-
-   #> openssl passwd -1
-   Password: <input_password>
-   Verifying - Password: <input_password>
-   <output_hashed_password>
-
-Encrypt your hashed password with *eyaml* and copy the exact output (either the string or the block) to your hiera (YAML) file::
-
-   #> eyaml encrypt -l 'root::password' -s '<output_hashed_password>'
-   root::password: ENC[PKCS7,MIIBmxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-   
    OR
-   
-   root::password: >
-       ENC[PKCS7,MIIBmxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-       xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-       xxx]
+
+   block: >
+     ENC[PKCS7,MIIBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+     ...
+     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
+   #
+
+and place either the string or the block at the required place in your Hiera YAML.
diff --git a/admin-guide/puppet/profiles/local_accounts.rst b/admin-guide/puppet/profiles/local_accounts.rst
index cefb491f..672a323b 100644
--- a/admin-guide/puppet/profiles/local_accounts.rst
+++ b/admin-guide/puppet/profiles/local_accounts.rst
@@ -54,6 +54,8 @@ the values are hashes containing the usual user properties, ie:
 ``shell``     shell (required)
 ============  ==========================
 
+Ideally encrypt the password has as in chapter "Example: Encrypting password" :ref:`../hiera`
+
 
 ``users``
 ~~~~~~~~~
@@ -91,6 +93,7 @@ The following defines three users and one group, but only creates one each::
       'home': '/home/archadm'
       'shell': '/bin/bash'
       'comment': ''
+      'password': 'ENC[PKCS7,MIIB2gYxxxxxx...xxxxxxx]'
 
   local_accounts::groups:
     - 'archadm'