Feat: docs: secrets: tpc: on hashed passphrases

diff --git a/docs/tpc.md b/docs/tpc.md
index 96140a95b30f8af6ce23d45a1f34d35f6a8f47d8..5266b83f8e452b1e25b1b7f5f054521ac1cfc64b 100644 (file)
--- a/docs/tpc.md
+++ b/docs/tpc.md
@@ -66,14 +66,21 @@ If you already have the secret somewhere, you can use a construction like this
 which already adds the eyaml block into the hiera config file:
 
     keyringer $HYDA decrypt /path/to/some/secret | \
-      hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --sdtin -l some::password >> \
+      hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --stdin -l some::password >> \
       $CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml
 
 You can also ensure a fresh random passphrase is used, using your favourite
 generator like this:
 
     head -c ${1:-20} /dev/urandom | base64 | \
-      hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --sdtin -l some::random:password >> \
+      hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --stdin -l some::random:password >> \
+      $CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml
+
+For `passwd(5)` and `shadow(5)` hashed passphrases, use something like this:
+
+    head -c ${1:-20} /dev/urandom | base64 | \
+    mkpasswd -m sha-512 --stdin | \
+      hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --stdin -l some::random:password >> \
       $CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml
 
 [hiera-yaml]: https://github.com/voxpupuli/hiera-eyaml