Metadata-Version: 1.1
Name: splunksecrets
Version: 0.5.0
Summary: splunksecrets - Encrypt / Decrypt Splunk encrypted passwords
Home-page: UNKNOWN
Author: Steve McMaster
Author-email: mcmaster@hurricanelabs.com
License: UNKNOWN
Description: splunksecrets - Encrypt and Decrypt Splunk Passwords
        ====================================================
        
        |Build Status| |codecov.io|
        
        ``splunksecrets`` is a tool for working with Splunk secrets offline. It
        currently supports encryption and decryption of passwords, but in the
        future will support offline recursive conversion of a Splunk
        installation from one splunk.secret file to another (e.g. for
        synchronizing splunk.secret across your entire distributed
        infrastructure).
        
        Installation
        ------------
        
        ``splunksecrets`` can be installed using pip3:
        
        ::
        
           pip3 install splunksecrets
        
        Or, if you're feeling adventurous, can be installed directly from
        github:
        
        ::
        
           pip3 install git+https://github.com/HurricaneLabs/splunksecrets.git
        
        Usage
        -----
        
        ::
        
           usage: splunksecrets [-h] [--splunk-secret SPLUNK_SECRET]
                            [--splunk-secret-text SPLUNK_SECRET_TEXT] [-D] [--new]
                            [--nosalt] [--password PASSWORD]
        
           optional arguments:
             -h, --help            show this help message and exit
             --splunk-secret SPLUNK_SECRET
             --splunk-secret-text SPLUNK_SECRET_TEXT
             -D, --decrypt
             -H, --hash-passwd
             --new
             --nosalt
             --password PASSWORD
        
        - Use ``--new`` when encrypting/decrypting Splunk 7.2 secrets
          (indicated by ``$7$``)
        - Use ``--nosalt`` when encrypting/decrypting Splunk pre-7.2 secrets that are
          not hashed
        - Use ``--splunk-secret`` to specify a path to splunk.secret, or use the
          ``SPLUNK_SECRET`` environment variable
        - Use ``--splunk-secret-text`` to specify ``splunk.secret`` contents on the
          command line, or use the ``SPLUNK_SECRET_TEXT`` environment variable
        - Use ``--password`` to specify password to be encrypted/decrypted on the
          command line, or use the ``PASSWORD`` environment variable
        
          - NOTE: when doing so, on \*nix or other platforms running bash-like
            shells, you must escape the ``$`` in passwords, like so:
        
            ::
        
                splunksecrets --splunk-secret-text ... --password \$1\$.....
        
        - Use ``--hash-password`` to generate a hash for $SPLUNK_HOME/etc/passwd
        
        Encryption Schemes
        ------------------
        
        Splunk passwd hashes
        ~~~~~~~~~~~~~~~~~~~~
        
        Splunk password hashes are not, strictly speaking, encrypted. They're
        hashed using the standard Unix ``crypt`` function. The ``$6$`` indicates
        that SHA-512 hashing algorithm is used. Details on SHA-crypt can be
        found `here <https://akkadia.org/drepper/SHA-crypt.txt>`__.
        
        Splunk pre-7.2
        ~~~~~~~~~~~~~~
        
        Splunk prior to 7.2 used RC4 encryption for secrets, indicated in
        configuration files by ``$1$`` in the encrypted password. The plaintext
        password is XOR'ed with a static salt (``DEFAULTSA``) and then RC4
        encrypted using the first 16-bytes of ``splunk.secret`` as the key. The
        resulting ciphertext is base64-encoded and prepended with ``$1$`` to
        produce the encrypted password seen in the configuration files.
        
        Splunk 7.2
        ~~~~~~~~~~
        
        Starting in Splunk 7.2, AES256-GCM is used for encryption of secrets,
        indicated in configuration files by ``$7$`` in the encrypted password.
        The ``PBKDF2`` algorithm is used to derive an encryption key from all
        254 bytes of ``splunk.secret`` (the newline character is stripped from
        the end of the file), using a static salt of ``disk-encryption`` and a
        single iteration. This 256-bit key is then used as the encryption key
        for AES256-GCM, with a 16-byte randomly generated initialization vector.
        The encryption produces both the ciphertext as well as a "tag" that is
        used as part of integrity verification. The iv, ciphertext, and tag (in
        that order) are concatenated, base64-encoded, and prepended with ``$7$``
        to produce the encrypted password seen in the configuration files.
        
        Known Issues
        ------------
        
        - If the splunk secret and an encrypted password don't match, one of
          two things will happen - either you'll get gibberish output, or a
          Python traceback. At some point, we'll hopefully have better error
          checking for this.
        
        Version History
        ---------------
        
        Version 0.5.0 (2020-06-23)
        ~~~~~~~~~~~~~~~~~~~~~~~~~~
        - Add support for passing a path to splunk.secret, the splunk.secret
          contents, and the password/password hash via environment variables
          (thanks hanswurscht)
        - Added error output when trying to decrypt user passwords
        
        Version 0.4.3 (2020-02-17)
        ~~~~~~~~~~~~~~~~~~~~~~~~~~
        
        - Correct an issue when splunk secret is too long. Splunk handles this
          by truncating splunk.secret to 254 bytes, so we now do the same
          (thanks nbertram)
        - Added error checking in case, somehow, splunk secret is too short.
        
        Version 0.4.2 (2019-09-29)
        ~~~~~~~~~~~~~~~~~~~~~~~~~~
        
        - Add handling for incorrectly padded (but otherwise correct) password
          strings as a convenience (thanks rafrey-his)
        
        Version 0.4.1 (2019-09-11)
        ~~~~~~~~~~~~~~~~~~~~~~~~~~
        
        - Fix an issue in Python 3 when using ``--splunk-secret-text`` (thanks
          Joeboyc2)
        
        Version 0.4.0 (2019-03-25)
        ~~~~~~~~~~~~~~~~~~~~~~~~~~
        
        - Add ``--hash-passwd`` flag for generating Splunk password hashes
        
        Version 0.3.1 (2019-02-06)
        ~~~~~~~~~~~~~~~~~~~~~~~~~~
        
        - Fix bug when a character in the password was the same as the salt
          character
        - Add ``--splunk-secret-text`` and ``--password`` arguments for
          non-interactive use (thanks nadidsky)
        
        Version 0.3.0 (2019-01-26)
        ~~~~~~~~~~~~~~~~~~~~~~~~~~
        
        - Add ``--nosalt`` flag for pre-7.2 passwords that are not salted, such
          as ``sslPassword`` (thanks duckfez)
        
        Version 0.2.1 (2018-10-27)
        ~~~~~~~~~~~~~~~~~~~~~~~~~~
        
        - Cosmetic release to update metadata on PyPI
        
        Version 0.2.0 (2018-10-24)
        ~~~~~~~~~~~~~~~~~~~~~~~~~~
        
        - Add support for Splunk 7.2
        
        Version 0.1.0 (2018-10-08)
        ~~~~~~~~~~~~~~~~~~~~~~~~~~
        
        - Initial release
        - Support Splunk < 7.2
        
        License Info
        ------------
        
        The MIT License (MIT)
        
        Copyright (c) 2020 Hurricane Labs LLC
        
        Permission is hereby granted, free of charge, to any person obtaining a
        copy of this software and associated documentation files (the
        "Software"), to deal in the Software without restriction, including
        without limitation the rights to use, copy, modify, merge, publish,
        distribute, sublicense, and/or sell copies of the Software, and to
        permit persons to whom the Software is furnished to do so, subject to
        the following conditions:
        
        The above copyright notice and this permission notice shall be included
        in all copies or substantial portions of the Software.
        
        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
        OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
        MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
        IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
        CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
        TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
        SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
        
        .. |Build Status| image:: https://travis-ci.org/HurricaneLabs/splunksecrets.svg?branch=master
           :target: https://travis-ci.org/HurricaneLabs/splunksecrets
        .. |codecov.io| image:: https://codecov.io/gh/HurricaneLabs/splunksecrets/branch/master/graph/badge.svg
           :target: https://codecov.io/gh/HurricaneLabs/splunksecrets
        
Platform: UNKNOWN
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 2
Classifier: Programming Language :: Python :: 3
Classifier: Development Status :: 5 - Production/Stable
