We use hiera-eyaml... This let's us selectively encrypt keys (passwords) and let everything else remain plaintext.
We use git and have very little concern as long as we keep our private key secure. We also publish our public key so others can encrypt sensitive data themselves. Because we have several teams that have ownership over various pieces of sensitive information this makes managing secrets 'easy'. On Apr 13, 2014 4:05 AM, "Alex Harvey" <alexharv...@gmail.com> wrote: > Hi all, > > I'm pondering a design problem and would appreciate some advice: > > A reason for externalising data in Hiera is often said to be so that > configuration data can be stored in a version control system, e.g. > http://puppetlabs.com/blog/first-look-installing-and-using-hiera > > Meanwhile, the reason for using an encrypted Hiera backend is so that > sensitive configuration data can be stored in Hiera, e.g. > > http://www.craigdunn.org/2011/10/secret-variables-in-puppet-with-hiera-and-gpg/ > > Thus, there is a catch: if data is too sensitive to be stored in an > unencrypted Hiera backend, it is probably too sensitive to be stored in a > version control system like git. > > I've seen people out there have considered encrypted version control > systems, others have said sensitive configuration data shouldn't be stored > at all, and so on - I can't find much discussion of the problem itself > though. > > After thinking about it for a while, the best I could come up with was > supposing there ought to be a way of partially encrypting the Hiera > backend, and perhaps dealing with it using a separate level in the > hierarchy. > > I note the Raziel project along these lines by Jens Bräuer: > https://github.com/jbraeuer/raziel/ > http://bit.ly/raziel-slides > > Is this more of an open problem or has the community come up with a best > practice recommendation here? > > Kind regards, > Alex > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/c13c06e9-8370-4dea-8210-13774da934ae%40googlegroups.com<https://groups.google.com/d/msgid/puppet-users/c13c06e9-8370-4dea-8210-13774da934ae%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CACx1-q29xYL5QjDJT1Zub5B36wf%3DGYM-3Cc%3DgeUjPO7S-pkHKg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
