Cool, so possible idea here.
Have the 'root' datasource expose a 'public' (readable) copy of itself with the following restrictions.
If there is any userdata:
If there is a config option 'encrypt_queryable_user_data' : false (default true), then just leave userdata alone.
Otherwise if true, attempt to encrpyt with ssh keys (generated by previous module).
- openssl rsautl -encrypt -inkey /tmp/public.pub -pubin -in /tmp/msg.txt -out /tmp/file.enc (or similar) - if that fails, just remove the user-data (empty string)
Then write out that public copy to a file that can be used by this new cloud-init query tool.
The tool itself can be asked for certain datasource fields and show them back, more features here to inspect other files can be added later (?)
Cool, so possible idea here.
Have the 'root' datasource expose a 'public' (readable) copy of itself with the following restrictions.
If there is any userdata:
If there is a config option 'encrypt_ queryable_ user_data' : false (default true), then just leave userdata alone.
Otherwise if true, attempt to encrpyt with ssh keys (generated by previous module).
- openssl rsautl -encrypt -inkey /tmp/public.pub -pubin -in /tmp/msg.txt -out /tmp/file.enc (or similar)
- if that fails, just remove the user-data (empty string)
Then write out that public copy to a file that can be used by this new cloud-init query tool.
The tool itself can be asked for certain datasource fields and show them back, more features here to inspect other files can be added later (?)