On Monday, April 14, 2014 6:41:34 AM UTC-5, Alex Harvey wrote: > > I was thinking about a situation like this - > > *) Puppet designer decides to place all credentials in a single database > (encrypted Hiera). > *) developers clone the version controlled copy of it all over the place, > e.g. to their laptops, that random box that everyone logs into. > *) version controlled copy then potentially sits next to copies of the > keys used to decipher it. > *) some lazy developer decides not to use a passphrase in his key. > *) laptop then gets hacked, lost or stolen, etc. > > Perhaps I'm being paranoid? > >
Whether you are being paranoid depends on the nature of your security requirements. Anyway, the particular scenario you raise does not present an issue localized in hiera or git, but rather an issue involving several pieces of your technology stack plus aspects of institutional and individual behavior. The ultimate questions in security all revolve around trust: whom do you trust, about what, to what extent, and under what circumstances? If you cannot trust developers to practice appropriate security measures -- as defined by you -- then you should not entrust them with data that need to be secured. If your trust is limited to specific data access mechanisms or locations then those are the limits you should enforce. Therefore, I think perhaps you are approaching the problem backward. Instead of approaching the problem from the perspective of what might happen under various choices of infrastructure and policy, I think you should start with the security environment and policy you want, and then ask how best to get there. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5b21af09-17ba-43b8-81d1-4b4a67ea8c45%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
