FAQ
Hello all,

I was wondering what the possibilities are for storing sensitive data in
hiera.
I read about hiera-gpg and it's increase in catalog compile time, I also
read about puppet-decrypt.
What would you advise to use? Are there any other plans to support
sensitive data natively in hiera?

Best Regards,
Jo

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

  • Jcbollinger at May 15, 2013 at 6:19 pm

    On Wednesday, May 15, 2013 4:46:45 AM UTC-5, jdt wrote:
    Hello all,

    I was wondering what the possibilities are for storing sensitive data in
    hiera.
    I read about hiera-gpg and it's increase in catalog compile time, I also
    read about puppet-decrypt.
    What would you advise to use? Are there any other plans to support
    sensitive data natively in hiera?
    I think the use cases for encrypting puppet data are fewer and narrower
    than you suppose. In particular, it's nearly pointless to
    cryptographically protect anything when the decryption key is stored
    nearby. Such a juxtaposition of key and encrypted data will always be
    present on the master, because the master needs to decrypt the data.
    Anyone with sufficient access to the master to steal the encrypted data
    (from there) can also steal the key.

    In principle, it might make sense to encrypt data stored in some
    less-secure place, such as a version-control system accessible to
    unprivileged staff, but the question then arises whether it makes sense to
    put sensitive data in such a place at all, encryption or no. If you
    nevertheless do store data in such a place, however, then you could
    consider whole-file decryption, to be decrypted as part of the process of
    syncing the data with the master (where it will afterward reside as
    plaintext) instead of repeatedly and piecewise as part of reading the data
    into Puppet.

    Of course, if all you need to do is provide an *illusion* of security, and
    you're willing to sacrifice catalog compilation performance (and therefore
    server capacity) to do it, then go for it! In that case, puppet-decrypt
    likely performs better than hiera-gpg, especially in Puppet 3. If you
    wanted to do, it probably wouldn't be too hard to build an hiera backend
    that used puppet-decrypt or something similar to encrypt just the values.
    That would be transparent to users, unlike canonical puppet-decrypt usage,
    and it would avoid the worst of the performance issues associated with the
    current version of hiera-gpg.


    John

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To post to this group, send email to puppet-users@googlegroups.com.
    Visit this group at http://groups.google.com/group/puppet-users?hl=en.
    For more options, visit https://groups.google.com/groups/opt_out.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedMay 15, '13 at 1:58p
activeMay 15, '13 at 6:19p
posts2
users2
websitepuppetlabs.com

2 users in discussion

Jcbollinger: 1 post Jdt: 1 post

People

Translate

site design / logo © 2022 Grokbase