Thank you! On Nov 20, 2013, at 9:02 PM, jcbollinger <[email protected]> wrote:
> > > On Wednesday, November 20, 2013 12:06:35 AM UTC-6, Rich Burroughs wrote: > You can use hiera gpg for ssh keys too. > > See this example: > > https://groups.google.com/d/msg/puppet-users/jHcuKQXT9cQ/g23Lmf4e6b8J > > > > > But you would be unwise to do that in conjunction with Puppet 3, unless you > fall into one of a small number of special cases. If you add the hiera-gpg > back end to your hiera configuration then the encrypted file will be > decrypted once for each class parameter that is neither explicitly assigned a > value nor resolved in a higher-priority back end. Decrypting the file is > very expensive, and if you do it many times then you will see a very > noticeable impact on catalog compilation performance. There have been > reports on this group of such decryption adding several minutes of > compilation time for catalogs that otherwise take a few seconds. > > That decryption overhead will not affect you if you use few (or no) > parameterized classes (watch out for third-party modules!), if you take care > to assign values to all class parameters of every declared class (again, > beware third party modules here), or if you are using Puppet 2 rather than > Puppet 3. > > You should consider whether it really makes sense to encrypt at all, vs. > simply securing the master against unauthorized users. If you encrypt then > you must record the plaintext decryption key somewhere that the master can > read it, and if you hypothesize an assailant that is savvy enough to track > down sensitive information in your Puppet configs then you should assume that > that assailant can also find the decryption key. In fact, such an assailant > must also break your access controls to reach the sensitive information, > meaning that they must have gained root access to your server before > encryption is even a factor. If an assailant gains root then it's already > game over. > > > John > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/59d9ed61-8fb3-4b51-bf1d-5d96feab83d8%40googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/C08FC97C-6503-46A1-B204-DBE0B7243794%40gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
