On Wednesday, May 15, 2013 4:46:45 AM UTC-5, jdt wrote:
I was wondering what the possibilities are for storing sensitive data in
I read about hiera-gpg and it's increase in catalog compile time, I also
read about puppet-decrypt.
What would you advise to use? Are there any other plans to support
sensitive data natively in hiera?
I think the use cases for encrypting puppet data are fewer and narrower
than you suppose. In particular, it's nearly pointless to
cryptographically protect anything when the decryption key is stored
nearby. Such a juxtaposition of key and encrypted data will always be
present on the master, because the master needs to decrypt the data.
Anyone with sufficient access to the master to steal the encrypted data
(from there) can also steal the key.
In principle, it might make sense to encrypt data stored in some
less-secure place, such as a version-control system accessible to
unprivileged staff, but the question then arises whether it makes sense to
put sensitive data in such a place at all, encryption or no. If you
nevertheless do store data in such a place, however, then you could
consider whole-file decryption, to be decrypted as part of the process of
syncing the data with the master (where it will afterward reside as
plaintext) instead of repeatedly and piecewise as part of reading the data
Of course, if all you need to do is provide an *illusion* of security, and
you're willing to sacrifice catalog compilation performance (and therefore
server capacity) to do it, then go for it! In that case, puppet-decrypt
likely performs better than hiera-gpg, especially in Puppet 3. If you
wanted to do, it probably wouldn't be too hard to build an hiera backend
that used puppet-decrypt or something similar to encrypt just the values.
That would be transparent to users, unlike canonical puppet-decrypt usage,
and it would avoid the worst of the performance issues associated with the
current version of hiera-gpg.