FAQ
Hi People,

I have a quick question, which hopefully you will have an answer to.

I am slowly moving towards puppet and git with multiple branches for
different environments. Things are going pretty well, but now I have a
small issue. The question is where should I store sensitive files, for
instance SSL private keys or some files which contain sensitive data?

I am aware of hiera-gpg storage backend, but that is more suitable for
storing plain text strings rather than actual files - correct me if I am
wrong?

I am looking forward to hear your opinion on this subject.

Thanks in advance.


-- Vaidas

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/DjQqqdK2NJ4J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Aaron Grewell at Oct 1, 2012 at 5:48 pm
    We use hiera-gpg for ours. Files containing sensitive information are
    converted into templates so that only the necessary strings are included in
    gpg. If we really needed to distribute full files I would probably build a
    separate directory tree backed by its own repository for this. It's just
    never been necessary for us.
    On Oct 1, 2012 6:47 AM, "Vaidas Jablonskis" wrote:

    Hi People,

    I have a quick question, which hopefully you will have an answer to.

    I am slowly moving towards puppet and git with multiple branches for
    different environments. Things are going pretty well, but now I have a
    small issue. The question is where should I store sensitive files, for
    instance SSL private keys or some files which contain sensitive data?
    I am aware of hiera-gpg storage backend, but that is more suitable for
    storing plain text strings rather than actual files - correct me if I am
    wrong?
    I am looking forward to hear your opinion on this subject.

    Thanks in advance.


    -- Vaidas

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/DjQqqdK2NJ4J.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Derek Olsen at Oct 1, 2012 at 7:33 pm
    We use hiera-gpg for file type sensitive information as well. For
    sensitive information which is actually a file (ssh private keys) we
    moved that into hiera-gpg and just set the yaml markup accordingly so
    the information could be used to populate the file in question in the
    correct format.

    For example this is what a private key looks like in yaml. The "|"
    and leading indentation keeps the content in the same format as it
    passes through the hands of the different villagers on the way to it's
    home in the id_dsa file.

    professor_plumbs_private_key: |
    -----BEGIN DSA PRIVATE KEY-----
    GOODSTUFFHERE
    THEGOODSTUFFCONTINUES
    -----END DSA PRIVATE KEY-----

    Then to create the key file. (Hiera call done as part of class param)

    file { "/blah/blah/.ssh/id_dsa":
    content => $professor_plumbs_private_key;
    }


    I'm sure the same approach could be taken for ssl keys. However we
    have been wielding the hiera hammer pretty hard and had to stop short
    of using it in place of DNS so you may not like this approach;)

    HTH.


    On Oct 1, 10:40 am, Aaron Grewell wrote:
    We use hiera-gpg for ours. Files containing sensitive information are
    converted into templates so that only the necessary strings are included in
    gpg.  If we really needed to distribute full files I would probably build a
    separate directory tree backed by its own repository for this. It's just
    never been necessary for us.
    On Oct 1, 2012 6:47 AM, "Vaidas Jablonskis" wrote:

    Hi People,
    I have a quick question, which hopefully you will have an answer to.
    I am slowly moving towards puppet and git with multiple branches for
    different environments. Things are going pretty well, but now I have a
    small issue. The question is where should I store sensitive files, for
    instance SSL private keys or some files which contain sensitive data?
    I am aware of hiera-gpg storage backend, but that is more suitable for
    storing plain text strings rather than actual files - correct me if I am
    wrong?
    I am looking forward to hear your opinion on this subject.
    Thanks in advance.
    -- Vaidas
    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.> To view this discussion on the web visit

    https://groups.google.com/d/msg/puppet-users/-/DjQqqdK2NJ4J.> To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.> For more options, visit this group at

    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Vaidas Jablonskis at Oct 1, 2012 at 8:24 pm
    Great stuff. I have a better idea now. Thanks for that guys.
    On Monday, 1 October 2012 20:33:57 UTC+1, Derek Olsen wrote:

    We use hiera-gpg for file type sensitive information as well. For
    sensitive information which is actually a file (ssh private keys) we
    moved that into hiera-gpg and just set the yaml markup accordingly so
    the information could be used to populate the file in question in the
    correct format.

    For example this is what a private key looks like in yaml. The "|"
    and leading indentation keeps the content in the same format as it
    passes through the hands of the different villagers on the way to it's
    home in the id_dsa file.

    professor_plumbs_private_key: |
    -----BEGIN DSA PRIVATE KEY-----
    GOODSTUFFHERE
    THEGOODSTUFFCONTINUES
    -----END DSA PRIVATE KEY-----

    Then to create the key file. (Hiera call done as part of class param)

    file { "/blah/blah/.ssh/id_dsa":
    content => $professor_plumbs_private_key;
    }


    I'm sure the same approach could be taken for ssl keys. However we
    have been wielding the hiera hammer pretty hard and had to stop short
    of using it in place of DNS so you may not like this approach;)

    HTH.


    On Oct 1, 10:40 am, Aaron Grewell wrote:
    We use hiera-gpg for ours. Files containing sensitive information are
    converted into templates so that only the necessary strings are included in
    gpg. If we really needed to distribute full files I would probably build a
    separate directory tree backed by its own repository for this. It's just
    never been necessary for us.
    On Oct 1, 2012 6:47 AM, "Vaidas Jablonskis" wrote:

    Hi People,
    I have a quick question, which hopefully you will have an answer to.
    I am slowly moving towards puppet and git with multiple branches for
    different environments. Things are going pretty well, but now I have a
    small issue. The question is where should I store sensitive files, for
    instance SSL private keys or some files which contain sensitive data?
    I am aware of hiera-gpg storage backend, but that is more suitable for
    storing plain text strings rather than actual files - correct me if I am
    wrong?
    I am looking forward to hear your opinion on this subject.
    Thanks in advance.
    -- Vaidas
    --
    You received this message because you are subscribed to the Google
    Groups
    "Puppet Users" group.> To view this discussion on the web visit

    https://groups.google.com/d/msg/puppet-users/-/DjQqqdK2NJ4J.> To post
    to this group, send email to puppet...@googlegroups.com <javascript:>.
    To unsubscribe from this group, send email to
    puppet-users...@googlegroups.com <javascript:>.> For more options,
    visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/ID3-P5dinc4J.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedOct 1, '12 at 1:47p
activeOct 1, '12 at 8:24p
posts4
users3
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase