forked from 2i2c-org/infrastructure
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add docs on decrypting encrypted messages as a team
Should have an equivalent PR to the docs repo targetted towards the people who are *sending* us stuff. Ref 2i2c-org#639
- Loading branch information
Showing
7 changed files
with
138 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| # Decrypt encrypted information sent to `support@2i2c.org` | ||
|
|
||
| Sometimes community representatives need to send us *encrypted* information - | ||
| usually credentials for cloud access or an authentication system. We use | ||
| [age](https://age-encryption.org/) (pronounced *aghe*) to allow such information to | ||
| be encrypted and then sent to use in a way that *anyone* on the team can decrypt, | ||
| rather than the information be tied to a single engineer. | ||
|
|
||
| ## Pre-requisites | ||
|
|
||
| Before you can decrypt received messages, you need the following pre-requisites setup. | ||
|
|
||
| 1. [Install age](https://github.com/FiloSottile/age#installation) | ||
| 2. [Install sops](tools:sops) | ||
| 3. [Authenticate with gcloud](tools:gcloud:auth) so sops can decrypt the private age | ||
| key kept in the repository. | ||
|
|
||
| These are all one-time tasks, and (2) and (3) are generally required for deployments to work. | ||
|
|
||
| ## Decrypt received message | ||
|
|
||
| The encrypted message looks something like | ||
|
|
||
| ``` | ||
| -----BEGIN AGE ENCRYPTED FILE----- | ||
| YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5cDRlMzVzWHpWU1JIeVBj | ||
| YnBqOHc5NzA3ZTZiNlljSkRDMFpyMkNUWVhBCmRBb1ltQVNPVExNK1ppbVY4OC93 | ||
| OVBqUmtMQytsQkpMZkxDbXZ2R0d6ZzQKLS0tIGlGNktqWDFZMDZaYTVFTUIyNmZD | ||
| dnY1aHZGMFRpb2djMmViSU5qNkJ0M1EKtRkajujtLCgCZkPRQEGanAavNj/GQc/g | ||
| xQemDwYveQVheTyc9zA= | ||
| -----END AGE ENCRYPTED FILE----- | ||
| ``` | ||
|
|
||
| Once you have the encrypted contents, you can decrypt it by: | ||
|
|
||
| 1. Run `./shared/keys/decrypt-age.py` from the infrastructure repo checkout | ||
| 2. Paste the encrypted message in your terminal | ||
| 3. Press enter, and then `Ctrl+D` | ||
| 4. You'll see the decrypted output! | ||
|
|
||
| Alternatively, you can also run `./shared/keys/decrypt-age.py <path-to-encrypted-file>` | ||
| if the encrypted message is stored in a file |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| # Support | ||
|
|
||
| This section lists various tasks that engineers might do as part of support | ||
| requests. | ||
|
|
||
|
|
||
| ```{toctree} | ||
| :maxdepth: 2 | ||
| decrypt-age | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| #!/usr/bin/env python3 | ||
| """ | ||
| Simple utility to decrypt secrets sent to `support@2i2c.org` via `age` | ||
| """ | ||
| import argparse | ||
| import pathlib | ||
| import subprocess | ||
| import sys | ||
| import tempfile | ||
| from contextlib import contextmanager | ||
|
|
||
|
|
||
| @contextmanager | ||
| def decrypt_age_private_key(): | ||
| """ | ||
| Decrypt our age private key, which is encrypted with sops | ||
| """ | ||
| age_private_key = pathlib.Path(__file__).parent.joinpath("enc-age-private.key") | ||
|
|
||
| with tempfile.NamedTemporaryFile() as f: | ||
| subprocess.check_call( | ||
| ["sops", "--output", f.name, "--decrypt", age_private_key] | ||
| ) | ||
|
|
||
| yield f.name | ||
|
|
||
|
|
||
| def decrypt_content(encrypted_contents): | ||
| """ | ||
| Decrypt contents | ||
| """ | ||
| with decrypt_age_private_key() as age_key: | ||
| cmd = ["age", "--decrypt", "--identity", age_key] | ||
|
|
||
| subprocess.run(cmd, input=encrypted_contents, check=True) | ||
|
|
||
|
|
||
| def main(): | ||
| argparser = argparse.ArgumentParser() | ||
| argparser.add_argument( | ||
| "encrypted_file", | ||
| nargs="?", | ||
| help="Path to age-encrypted file sent by user. Leave empty to read from stdin", | ||
| ) | ||
| args = argparser.parse_args() | ||
|
|
||
| if not args.encrypted_file: | ||
| # No file specified | ||
| print("Paste the encrypted file contents, hit enter and then press Ctrl+D") | ||
| encrypted_contents = sys.stdin.read().encode() | ||
| else: | ||
| # rb so it doesn't try to decode to utf-8, in case we have a non-armored file | ||
| with open(args.encrypted_file, "rb") as f: | ||
| encrypted_contents = f.read() | ||
|
|
||
| decrypt_content(encrypted_contents) | ||
|
|
||
|
|
||
| main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| { | ||
| "data": "ENC[AES256_GCM,data:5ndjbuQdvmWSp+jMIV9YNqlsp/4OQH+wPZfoM2HsmP5qwACdL/pismiXp9ZJDuV4TzritzpV75Ghg5q0izhIIiGuno2tDj4vEOOFuLlQWQ4x4facpZLDCny4wufj74l6uBokv9+QH/fw8l0twhUmqDp5AKU8w6ZwF46SaZBZYEdEWA/Jfc6S2rTDlNf+RlJLMqsuYYYkIoFw1Wq1hJ9AKBnPnb5a4B1a/9HmvrBZrX1G7eLGJWuCYMvIDtsH,iv:wA71gaG+8XDRSPXRnoyGYyOviOIrMBF682/THgPzYy0=,tag:T5D/lMPhDXFgqZDF5hsuPA==,type:str]", | ||
| "sops": { | ||
| "kms": null, | ||
| "gcp_kms": [ | ||
| { | ||
| "resource_id": "projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs", | ||
| "created_at": "2022-09-09T17:43:24Z", | ||
| "enc": "CiQA4OM7eGpDfkXE75IRW8hLTcQq88chS6bWiSmHG9z+U28cjpQSSQDuy/p8JMXTL0u6q2T+dD2SvpVsXYs88vYLJ2v04W+JUKmXH+a7cdOfeND78aJBWf0XxwEdJxTpVS39xHHwpgsewerC+M/Rfzw=" | ||
| } | ||
| ], | ||
| "azure_kv": null, | ||
| "hc_vault": null, | ||
| "age": null, | ||
| "lastmodified": "2022-09-09T17:43:24Z", | ||
| "mac": "ENC[AES256_GCM,data:GLd3kq0KYade+r6sDuTsGMYl9wQMqWpplIPxun5W0qVi+2peS4+TD/rxeE7YCw/og/stdERcFfFL4Dwh5qLI49dlgHe/llpQGCt7Spt13d44ex/Bv/pYKUyfdO7OKjIrLLbG1dymqD2OvkmN/lyr+29INa1sU+HvMHZHNtGo9wo=,iv:0O/fHXvo4p42Qim1B10lwZmaE4jnOb737/YlC7L2OvI=,tag:yTY8DN157AumtIQRIw9xsg==,type:str]", | ||
| "pgp": null, | ||
| "unencrypted_suffix": "_unencrypted", | ||
| "version": "3.7.3" | ||
| } | ||
| } |