<opinion> I'll just add...yes hiera-eyaml is the generally accepted "puppet community" way of encrypting data in hiera. BUT, puppet in general is not ideal for secret storage at this time. E.g. the benefit of hiera eyaml is that people can contribute encrypted values via the public key, to a git repo, without having the private key to decrypt. It doesn't offer you any particularly special security on the puppet master, since by definition the master is going to have a copy of the private key so that it can decrypt data, and it's going to be plaintext in the catalog regardless (which ends up cached on the agent node...)
Not to mention storing credentials in YAML is inherently a duplication of that information (vs whatever spreadsheet/lastpass/1pass type thing you use), and if you do enough of it, things are going to get out of sync between hiera and reality no matter how hard you try. Ideally you'd use some sort of API-based credential storage so that nodes can retrieve their credentials ad-hoc. Hashicorp Vault is one example: https://www.vaultproject.io/ Conveniently, there's a hiera backend for it: https://github.com/jsok/hiera-vault Ideally there'd be some sort of node-side retrieval so that the credentials don't end up in the catalog, but that's an exercise left to the reader. </opinion> On Friday, July 8, 2016 at 6:29:31 AM UTC-7, dkoleary wrote: > > Hey; > > I've come to the point where I need to encrypt a password in hiera data. > After trying (and failing) the recipe in the puppet cookbook, I hit the > google searches and very quickly came across hiera eyaml. > > So, short question: is hiera.eyaml the generally accepted method of > encrypting data for use in modules? > > Just trying to avoid going down the wrong path again... > > Thanks > > Doug O'Leary > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ab0dd6f3-8494-4af8-9a34-424c75f4d100%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
