Encrypted Intercept Configuration - OpenLI-NZ/openli GitHub Wiki
In some deployments, it may be required or preferable that the intercept configuration is stored in an encrypted format.
The ability to read and write encrypted intercept configuration was added in OpenLI version 1.1.12.
To enable this capability in OpenLI, you will need to complete the following steps:
- Add
encrypt-intercept-config-file: trueto the top level of your provisioner configuration file. - Generate a random 32 character password and write it into a file on disk that only the user that will run your provisioner can read.
- Start the OpenLI provisioner with the
-K <file>command line argument, where<file>is the path to the file containing your password from Step 2.
Note that if your running intercept config is unencrypted at the time when you enable encryption, it will remain unencrypted until either the REST API is used to modify the intercept configuration OR you manually encrypt the config file prior to starting the provisioner.
If you have installed OpenLI from a pre-built package and are using the systemd service files provided by those packages to run the provisioner, you do not need to worry about Steps 2 and 3 above -- but you will still need to do Step 1 to turn on encryption support.
To generate the random password, I recommend the following bash code:
s=""
until s="$s$(dd bs=64 count=1 if=/dev/urandom 2>/dev/null | LC_ALL=C tr -cd 'a-zA-Z0-9')"
[ ${#s} -ge 32 ]; do :; done
PASSWORD=$(printf %.32s $s)
echo ${PASSWORD} > /etc/openli/enc-pass.txt
chmod 0640 /etc/openli/enc-pass.txt
Don't forget to use chown to set the ownership correctly.
NOTE: this step is performed automatically if you install OpenLI using a package -- the resulting password can be found in /etc/openli/.intercept-encrypt
To manually encrypt an unencrypted running intercept config file:
openssl enc -salt -aes-256-cbc -pbkdf2 -pass file:/etc/openli/enc-pass.txt
-in <existing-config-file> -out <new-encrypted-file>
To manually decrypt an encrypted running intercept config file (e.g. for debugging purposes):
openssl enc -d -aes-256-cbc -pbkdf2 -pass file:/etc/openli/enc-pass.txt
-in <encrypted-file> -out <decrypted-file>