From: Christian Pointner Date: Wed, 26 Apr 2017 17:54:17 +0000 (+0200) Subject: added better key handling for vault secret X-Git-Url: https://git.realraum.at/?p=noc.git;a=commitdiff_plain;h=b7c82bb97cefa1a1d70b4348953249b84190c022 added better key handling for vault secret --- diff --git a/.gitignore b/.gitignore index ae5eabf..3b3711f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,5 @@ /log -/*.retry +/gpg/vault-keyring.gpg~ +*.pyc +*.retry +.*.sw? diff --git a/README-vault b/README-vault deleted file mode 100644 index 0e09ec0..0000000 --- a/README-vault +++ /dev/null @@ -1,11 +0,0 @@ -Creating key: - pwgen -s 128 -1 | gpg2 -e -a -o vault-pass.gpg - -Reencrypt for new set of keys: - ./open-vault.sh | gpg2 -e -a -o vault-pass.gpg - -Create a new vault file: - ansible-vault create secrets/foo.yaml - -Edit a vault file: - ansible-vault edit secrets/foo.yaml diff --git a/README_vault.md b/README_vault.md new file mode 100644 index 0000000..311cc2a --- /dev/null +++ b/README_vault.md @@ -0,0 +1,117 @@ +Secrets and Vaults +================== + +All secrets are stored inside encrypted ansible vault files which live +inside the secrets directory. Access to the vault files is controlled via +GPG keys. Anybody who uses this ansible repository needs to have a GPG key. + + +Creating a GPG key +------------------ + +You can use the following command to generate a new GPG key: + +``` +# gpg2 --full-gen-key + - select "RSA and RSA" as kind (should be option: 1) + - set keysize to: 4096 + - set key expiration to: 2y + - set Real name and eMail adress + - set a passphrase for the key (please use a strong passphrase!!!) +``` + +This command prints the fingerprint and other inforamtion about the newly +generated key. In the line starting with pub you can find the key ID. This +ID can be used to uniquely identify your key. Here is a sample output: + +``` +pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01] + Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678 +uid [ unknown] Firstname Lastname +sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01] +``` + +The key ID is the hexadecimal number next to ```rsa4096/``` in the line +starting with ```pub``` (not ```sub```). In this case the key ID is: ```0x1234567812345678``` + +In order to add your key to the list of keys which can read the ansible vault +you first need to export the public part of your key using the following +command: + +``` +# gpg2 --armor --export "" > mykey.asc +``` + + + +Adding a key to the Vault +------------------------- + +Everybody who currently has access to the vault can add keys using the +following command: + +``` +# gpg/add-keys.sh mykey.asc +``` + +This will add the new key to the keyring stored inside the repository and +reencrypt the secret to unlock the vault for all keys inside the keyring. + + + +Removing a key from the Vault +----------------------------- + +Everybody who currently has access to the vault can remove keys using the +following command: + +``` +# gpg/remove-keys.sh "" +``` + +This will remove the key from the keyring stored inside the repository and +reencrypt the secret to unlock the vault for all remaining keys inside the +keyring. + +You can find out the key ID using the command: + +``` +# gpg/list-keys.sh +``` + +Here is an example output: + +``` +pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01] + Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678 +uid [ unknown] Firstname Lastname +sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01] +``` + +The key ID is the hexadecimal number next to ```rsa4096/``` in the line +starting with ```pub``` (not ```sub```). In this case the key ID is: ```0x1234567812345678``` + + + +Working with Vault files +------------------------ + + * create new vault: + ``` +# ansible-vault create secrets/foo.vault.yml + ``` + This will open up an editor which allows you to add variables. Once you + store and close the file the content is automatically encrypted. + + * edit a vault file: + ``` +# ansible-vault edit secrets/foo.vault.yml + ``` + This will open up an editor which allows you to add/remove/change variables. + Once you store and close the file the content is automatically encrypted. + + * show the contents of a vault file: + ``` +# ansible-vault view secrets/foo.vault.yml + ``` + This will automatially decrypt the file and print it's contents. diff --git a/ansible.cfg b/ansible.cfg index 55dc29a..9f97815 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -3,7 +3,7 @@ inventory = ./hosts remote_user = root log_path = ./log nocows=1 -vault_password_file = ./open-vault.sh +vault_password_file = ./gpg/get-vault-pass.sh gathering = smart var_compression_level = 9 diff --git a/gpg/add-key.sh b/gpg/add-key.sh new file mode 100755 index 0000000..98e2917 --- /dev/null +++ b/gpg/add-key.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +if [ -z "$1" ]; then + echo "no keyfile specified, reading from stdin ..." +fi + +"${BASH_SOURCE%/*}/gpg2.sh" --import $@ +if [ $? -ne 0 ]; then + echo -e "\nERROR: import key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg." + exit 1 +fi + +echo "" +"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh" +if [ $? -ne 0 ]; then + echo -e "\nERROR: reencrypting vault password file failed!" + echo " You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!" + exit 1 +fi +echo "Successfully reencrypted vault password file!" +echo " Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg." diff --git a/gpg/get-vault-pass.sh b/gpg/get-vault-pass.sh new file mode 100755 index 0000000..202c94f --- /dev/null +++ b/gpg/get-vault-pass.sh @@ -0,0 +1,2 @@ +#!/bin/bash +gpg2 --decrypt --batch < "${BASH_SOURCE%/*}/vault-pass.gpg" 2> /dev/null diff --git a/gpg/gpg2.sh b/gpg/gpg2.sh new file mode 100755 index 0000000..b00c49c --- /dev/null +++ b/gpg/gpg2.sh @@ -0,0 +1,2 @@ +#!/bin/bash +exec gpg2 --keyring "${BASH_SOURCE%/*}/vault-keyring.gpg" --secret-keyring /dev/null --no-default-keyring $@ diff --git a/gpg/list-keys.sh b/gpg/list-keys.sh new file mode 100755 index 0000000..4b01049 --- /dev/null +++ b/gpg/list-keys.sh @@ -0,0 +1,2 @@ +#!/bin/bash +exec "${BASH_SOURCE%/*}/gpg2.sh" --list-keys $@ diff --git a/gpg/remove-keys.sh b/gpg/remove-keys.sh new file mode 100755 index 0000000..80ae157 --- /dev/null +++ b/gpg/remove-keys.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +if [ -z "$1" ]; then + echo "Please specify at least one key ID!" + echo "" + echo "You can find out the key ID using the command: gpg/list-keys.sh" + echo "" + echo " Here is an example output:" + echo "" + echo " pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01]" + echo " Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678" + echo " uid [ unknown] Firstname Lastname " + echo " sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01]" + echo "" + echo " The key ID is the hexadecimal number next to rsa4096/ in the line" + echo " starting with pub (not sub). In this case the key ID is: 0x1234567812345678" + echo "" + exit 1 +fi + +"${BASH_SOURCE%/*}/gpg2.sh" --delete-keys $@ +if [ $? -ne 0 ]; then + echo -e "\nERROR: removing key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg." + exit 1 +fi + +echo "" +"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh" +if [ $? -ne 0 ]; then + echo -e "\nERROR: reencrypting vault password file failed!" + echo " You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!" + exit 1 +fi +echo "Successfully reencrypted vault password file!" +echo " Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg." diff --git a/gpg/set-vault-pass.sh b/gpg/set-vault-pass.sh new file mode 100755 index 0000000..1fb3426 --- /dev/null +++ b/gpg/set-vault-pass.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +keyids=$("${BASH_SOURCE%/*}/gpg2.sh" --list-keys --with-colons --fast-list-mode 2>/dev/null | awk -F: '/^pub/{printf "%s\n", $5}') +if [ -z "$keyids" ]; then + echo "ERROR: no keys to encrypt to, is the keyring empty?" + exit 1 +fi + +receipients="" +for keyid in $keyids; do + receipients="$receipients -r $keyid" +done + + +"${BASH_SOURCE%/*}/gpg2.sh" --yes --trust-model always --encrypt -a -o "${BASH_SOURCE%/*}/vault-pass.gpg.$$" $receipients +if [ $? -ne 0 ]; then + rm -f "${BASH_SOURCE%/*}/vault-pass.gpg.$$" + exit 1 +fi +mv "${BASH_SOURCE%/*}/vault-pass.gpg.$$" "${BASH_SOURCE%/*}/vault-pass.gpg" diff --git a/gpg/vault-keyring.gpg b/gpg/vault-keyring.gpg new file mode 100644 index 0000000..d619725 Binary files /dev/null and b/gpg/vault-keyring.gpg differ diff --git a/gpg/vault-pass.gpg b/gpg/vault-pass.gpg new file mode 100644 index 0000000..8adb660 --- /dev/null +++ b/gpg/vault-pass.gpg @@ -0,0 +1,52 @@ +-----BEGIN PGP MESSAGE----- + +hQIMA5935MibhBNKARAAmx+MCvfhh0Y9zq6oZvGi6H6zcSlStp/s+xd5C0VS7++k +U6EOJFFU7oSs4q9P58odpP8VljiTQ6io7YaztyHQfD3n3fzMD/xkWQ0PUQ62mYQe +SQr9HsDf0f8A5iVZCH1lBtl2xx/6XOWmvs/CSK0xMQ9RSuSI/CNos0IMF2Xh+SlZ +W720QCrjZw62DLCFP742BwLdPY4JjlNyWKfOMh6xqY+bJn7glSVpsVXyrrKaxJAj +tydPVqFDbvwDg9m+zgD7oROagWbX5YjyU4KO9Yw+NzKSR0HgY7kX55twM0Yitobo +c6Yz8/T+iJhuhjoi+4UrJDmGMcH0Xs8R/8noxfK9BlcnzApmEPT5wfdlfLX7iLxl +K5NdfmaRlDgqsV7tq0YjAKqC5YnnLq/uPzQT6ck2Tp3YhZN1Q/97lI24CkMjg7Kr +9r2E4UHQY7gaU0/Pj0U4sPUvqePOkHHVXhzp3qlMKr84IpBkeofzPg8mPlVOrcyM +9npGDZqL5jPfSIXK21zxe2nuBc9KS1jw8/qp7/2cgfE0BI5WM42frKFU4V07xe5v +X47wQxna5zFtY9TacvLm0T8/MmqWJXycVb36a9PvSE3zrWYaLLBtz/shoqEObBVC +AbVuU4nHPVWn7iyfJP+QywlX+ANoKYfPCePBJSjGbjOJxLq1Eui0SU2OW7gpfViF +AgwDr1yutpaCp8sBD/wJPgDIF6Fq3QFUPBkVE4MVN7mzmd1SZ4ujNt/zuddvxrk8 +Y848jSTbA9akcyezVY8WOveY5T64aFnYKBWL9IcD7Ng2K5TFkMWRT5lFNfv/+uDY +TOo/7Ym0i0uE0mclnr94Vt9pl48WvoNa6G7/kIAP6tLhST0tG5dPJuVCXCppfyfe +eXPKJ9s/oryo7uWRL3UzoapR2e3JMFYFmc98iJpiLbC87YHRVgSn2MhA0oTGbsIs +8TVjjfIotp1OZ+vvylDHoVuoPiPAGF8Q4KLI2bsh3cbiOOZzA+XVZAFaeraEZJj3 +Q5bVFkLqPSo8nGeaxxdQnPvhsyRxTykEUfSSeapmksgutKUEHlkkUlV+V8+Zu0Pj +sSucvTQNoZgJ+XW+vYT/Dc8ipiU5ruVaLaLpRMExri6mZFohzwO/kedVQ9cxSw88 +SxHnM6sXbSZ4BZZ5JX5imRlYgeNlSaXZmdb7byTSVDg+A/UgL0i5ae9J0EKJ4A2n +JKJcVofml6AKuQZGDsiFFN47RgXOTaW5mTSeiWQQPadbmJcd3o0Nz9itwsBQVWn8 +WphdSKm0BNTXlB7oMQQvUZGW6idDMWvHasRYhEheTw1Q+W10qUEnDrj4gGUxI1/p +ItBPe8KQwN5hTiOsxGVeelApIm5CZcvRjXkUZBMUS5NGcpRYO8yeQWHvYNzUUoUC +DAOy63ZNzMZTKQEP/1il8xTU6CQcR3XLck2Z5FWdaw90nPGdpF0ru23r/SJrRcGC +iRtw6u44vSvpXrb2wJyLes+2l3p7gR9gWvxCKGH2ZxjTiDLGYf0lwJ5Ep050RINU +YTUDLCVHdtMMtcEImLh5K9jNfs0+ZIkCF3YNK7ffekg3Way8DKvsjSSY0NpSiZJ1 +r7tpov7IIe6Cqt5+/PUK+XG8KolF0cVhVrYyM4SHzW/jQ39gDJ7GLfqxzAUwkG26 +61QZ1hU2X81a3A2qLEeZde7HB0gnl4svrSwk2GALa3cVfBoQYUvOljYQbHbbhlQM +eQea/ZtV3TVz3rpxT7OBBFRfPMqF5/XX0dVLG9fFYQ1paFQxa2h5ar6ah922N2Ci +0imjc9IY2b+INyr1p6ZfmXeVTD2Cpah7U4pCtIlH5wiyVs5axUpmR9UhQljuEl6l +Z8NqhDN6d+1kLHE6sQuvkoVktTXmCy61ofv0lt2PLOtAcLXJJhDBAG/Xqz6e2/eg +tnYvD5czBRLS7vwr+gHng4CsuKLvYyt1ZYeJtVicb0Fe3b+E6g9B8PeH49tCuH5l +vAx4d2sScdwJlF3xg51pVxt+7Lp+xeJWqD4hpOKtDBYsMfG1gQnAoXTU1OajFGh6 +Z0Tz8w0D9k7uS+RFH0C0CrS5QSVE0Rn/qW6m8N4H9BeRUW8O75FuZqQQgFDkhQIM +A3Ktdi0CD6U5AQ/+LKrtN2HYenWwBlAhJvPPeqFJVfewUxOhKDDziiZjm5InUMyO +WsAie5CNeHI/IfX235ye7+d5TR9TeQjdE3f1CeNIywNGHJW75JONLVEvBjeTy1f/ +qzzVsFD5gwNQnnrp46CO6ggPhJwo3NRnFldRAeLYd47oBoBvCowfh+FD4jycpPLp +1mewX7qz3VgXCz9FspHvB0OFHBLLLLr8uDNJFJLYWeRdJqebFHO2fhKSOpvkzOOG +BSU8tpYigbHBmMXt++mm8RYtX3GU1yeQkmgy9w0zTG2HOVJsnSuepCnKDZloyDNP +4+KTFc1+jrrC6CvQpPDqLB+AOsz7oXaK+d1ae9FjoDbfWISY7z9ThpFc9fdZ7BNn +zoLa49BEhUeXBU1pEpOqobiiSjxY0itBPW9ZjJp0BtCyxz5e5e0IelqJaQZT7EzW +2vc/f/D2IR1FOHbYByIfvbq60PjQNqTeNarvp/A45rfQ/HqNURkfV5f3Hx/ySJwc +2hHKodyHSV7wZ+ob518GaXOGNo5JF+9TjvTcwtRX2mt+Q+0TTZn6gM6ic88USPe1 +90EulwE/FFPHtpRakxM8bCDR7ml1OJi4x+Ecv4sTNPv6cFY00braIhWhp1laW3Fv +3lK/vD+6WEjC3oeRJxlApE+08W46sBE3KdbUjBb8m0oVbvfgVfzpC+TEg7zSuwE+ +WTahZTTBXusKrH1gtObZZ83yuJ5+dMtj0Krh79gUKOUx7eN5fUrwFbpQ0fVEyjav +CTt0fAUzcvFrKXm5FoykjRiGJLHGe/QzsojXqVuOsCqXx1B+yhqtr6oKhofhFj35 +u0uiEJNShGZLGPTUqqA+gv1DK3JEw3H4wV/FpS/o/Z1JtQUmFLjI1mc322vjloQr +PLckuDAFbCkowICYcZnQU2Yk/UuVgEYxlWYCl/pqpnCHbr322fXH0AM= +=jwUc +-----END PGP MESSAGE----- diff --git a/open-vault.sh b/open-vault.sh deleted file mode 100755 index 9490484..0000000 --- a/open-vault.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -exec gpg2 --decrypt --batch < "${BASH_SOURCE%/*}/vault-pass.gpg" 2> /dev/null diff --git a/vault-pass.gpg b/vault-pass.gpg deleted file mode 100644 index d333e16..0000000 --- a/vault-pass.gpg +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PGP MESSAGE----- - -hQIMA+Qd5U24qffPAQ//d9gulPUkndUq2aen6WpLeyNqmM0EQK+1Vc20e3sKAmQW -6W1TCt7BIWj13Lmv5D0capuyLXYKrWxGLPazIDcvd6UvBGjvfnCdSecZJDhzQVtH -ijurbkNjlfnzdVKv6pHRi3NA0/VXyKu4KlpaJxD56qWnB+y+OINESax7Nnbg0Crg -kwI+/7b56lElBY2e1HFFE71ARsgx9NGuGh3ZLem4qv3uzbdo7PygKijc1udfBmpO -3K94w3GSI0rahtGkU36JnbIXdqce8cEAtU13ThDXkIPcFtGy4o8B62G1EIB+MgzR -wWYUJrCx4mZ9k+5EIEO3zjn4wPcOwibVuuxhG+mWVjbtUo5I4EeGn/cklwJ9ERe0 -Q+WeEws4RYiItq0mk0vS+arNUmUqtL7/OCum8kZsqze4bQ9/95GlYNB71Q1GsWoN -kHeaqJw+koh3BrsQcw8CaUc/XVHXesl9A2feXtQnbd3FQtPSdVgWQ3Fq88XO/T3+ -Rmk+1QIrCg/4j6XGSHRMuHm3V6F/WyuvQOE/G9wZpdbmlJf9BVkCHjH6Iciuslp8 -kzh8YyV6bizghdBfD5AVcYCeLUPBRJ+Dn/PGxJ7HbpWK6t7J9MogFYfoOR0TbO2D -y03ksCF7tFW1QJfUkd5oCiN/+c/0iWqZ9T6qT71RdbaKRffWcTDJPsHSz4hQP9CF -AgwDsut2TczGUykBEACNYXA+eM6C9DARNPttNnqMGgOCpwYPLgAHPnv9iYC0KiWV -fgkE4683cVwOBWgp60i9oqXc6FsHtL1R3nxXmfjNxUBrvRRtqiAZgA0ksL2CC0BJ -1ePjBwkdS72YRdjBmn666Bg9wmZFyWbns9uLdfI6RdxQoWj0NwK6JIeebGu1HUvY -s1ZCWOjO6zn5uYayOxQKGTCTJjAe/ydPdP9MUxlenKWbloozwMtfTyIUh4A6dcSc -M+CzkO7gybsFyktWYQjF+1X/KgFYOfwyflm4amrDGxxi+Xsq0JUeuccvt48+X5J/ -KKuPmRmQqv+Tl0aIGrH+FHWRMcpWvRU+f+GUk3nAPYFgHOAM6IiNzi1T7ScQ+1li -VoSTShR+UDnL17kV5gxVrT4tYc8/2EO+dyrGeeAGoBobg1Juc4fRWJQsnoLIOIsq -5I7tX7rwIy5meMu314rYDoV0ZKXG76IgD+fH1tdOkElWhYfwWGU9Fo8cyPtFIFof -PJGkzgvCaPkEXzn/+dR2/4cKakDy1oZBNck6K6SkEv0Be0GrNQCFUP/3ztCK0dgR -KeOBu7FHiHn2tHB5yj92bbRvcQjZT0bNvLRilIlhuYvwKgPwGZCjyw5gKSTlKNDz -45/2CdzubAi0nRuAMxrJiSMGXs53L0oWPsjYaHUNmc8s1ftpxWsVMO5z2ntKjIUC -DAOvXK62loKnywEP/i2TbiZ7CbTU8IOuMWyfYOMAJ6WBIn+B9MmQ5DRVHejWCspW -UaPTIQy4jzCNyLjGKm5faSd8dICHxRVxoi/v6brSr8P8XMheooBbUWF+dylC9bFj -W4F4Np0X56I3itIvy3i5Ga7csgeMHJhQHEHP90cOv2Bm1K4L44SllN0/Us5sHmkN -67saPVFQRv+wgdU0dOCNoguI2vRw9hNkiRwdBvAZZWykuFBsjQIFYTo9GbFqYRha -XL2ZfIYRt6lf+k10dQkjGyvD1puMAZ7SFM0Y9RUFDN7dO94EIgDbqkhnWgQHiWj4 -zh2CErQ2x32xqjBtnAI55L0J8f8SW/AdkPPxweW7OTk6Ef3OVBLvAVrm0G+Jb+xn -BYjFSmC1F2qgjTXUFXrN+oCeXD9bMJKvHpjHawqZGiZqEFOlnxZIH63VfEWGmqa2 -MbTZW31gCT8XWWG7bTcP7SPewZYANVG2M+wGiAz110yOFfKFLivspZZgyGbuR/4j -0K2Nqk71RZ5tGRIthy+G/p0TenMxZTGy5mGuRiZTTyxbyoN6WpopiMLoH/Nx6Sjd -PgLYDHkgkY3TooVMEKMBr2Ps/N6ZvbD4up4vUfRojssFT+wuoqOBan3NEuTL/OO0 -XGDB9RYsgnqWGa88Dw0t6byQcPU1hy5f5kQ4/qMnURbDLPnmZAK1RBGW0CNEhQIM -A5935MibhBNKAQ//QgAHUP1sq2zFWO1+aMDSCt2breoG6puE6SMAW908kAuXTzif -GPswr7P31qeGEOkBrXI3N/YItmuO+6bcG/KmIOxYXSuX0kgD/POVi2vNs3pMD5/e -74aiu5IgRF8aP3BpfngvSYNwJMnDB541sWkS4s6FY2ipYe75dxhuWJxPZhCKmH3B -TPH90qokZCVScLM9pOgCQ1J7xCkeGHvy6NkJ9k+LQVeD/JV1As4M88CNgQ1YDwXs -hGZuwUBNsjlGZlrWvUONouHwQ0leRuT6yy3QnpCv4yYAJ2icG4xlyY3Zvw0uFO+7 -y8FW6Dzb9SUqxNdw2kBvpbPdyAkJG7nIgVD+aosh+Zh6JrWwK1OrDVHu4gkhKn0z -dtcYSLSYRQfpbKcrwnR+Up3eFeIs9yJ0hoIanFbjNBeCpr8uXovhO8TQ4Cjj23bu -xiv1t/g9QLgbsqZ0pXZyp/I8wRxdQ8Hpb7f82Ygx4ySDbEz4YIsi2CbasQpRO01x -E6vRoh5Pl0VHD7yJKIp+dDRo555/pWMQF2lZuMj5pmlU7cTvg9+wwDljEftSkx8y -264bNK/ZZRtitkEQMs4Xc9OSTyLv5QNqeAP+pz9etVbaTApbNVc8mhzHrYIPih4e -4tLnRB8CdOG4r5FaF4tDm7yA257I1rE8COLbikxWtugfaLgrTHI628Z+UUPSvAFT -DqgwzEEINcDIuksyKhcaamDVVuwkvxjOIeID4pqtNwcfbzpcbWQfKGpA25BNqy4o -H6IDpj1EyCaPifbO1tVxH7n+Cs/Innyl0WYiuFPL/7a9fHeyhUo44xPSs5B3Iowm -VCmpLAhr5rHC60gccITT34VOQ9/l/1NItgI6dz5AxUXwzaadEINGwzqIYOK2bqFl -1eok+Pt8cFZP+FB3F8Nhz5V9xms08lDWf+8XDrgJfAkcuHF7hWV4/SB7 -=1RgH ------END PGP MESSAGE-----