Metadata Encryption¶
Metadata files (see: The Metadata Framework) may be encrypted with a single key.
This allows you to collaborate with others without sharing sensitive data directly (i.e. within your source control system).
The encryption process uses a symmetric block cipher, AES-256-ECB
Note
The use of AES-256-ECB will become deprecated in a future release with an intended upgrade to AES-256-CBC. An upgrade path will be provided for already encrypted files.
Encryption commands¶
Packing¶
Encryption is referred to as packing.
To pack all your metadata files, invoke the following:
bcome pack_metadata
You will be prompted for a Metadata key, which will be used to encrypt your data.
Should you now investigate your metadata directory, you will see that all your YAML files now have a .enc counterpart.
Note
If any metadata YAML file already has a .enc counterpart, you will need to provide the same metadata key used to encrypt that file in order to pack all the others.
Hint
Commit only your .enc files to source control, and create a workflow around Packing & Unpacking.
Unpacking¶
Decryption is referred to as unpacking.
To unpack all your metadata files, invoke the following:
bcome unpack_metadata
You will be prompted for the same key as was used to Pack your metadata originally.
Warning
Should there be any differences between your .enc metadata files and their .yml counterparts during unpacking, you will prompted for confirmation before proceeding.
The .yml files would otherwise be overwritten with the decrypted contents.
Metadata Diffs¶
To see the differences between your encrypted metadata and unpacked metadata, use the following command:
bcome diff_metadata