On Wednesday, May 15, 2013 4:46:45 AM UTC-5, jdt wrote: > > Hello all, > > I was wondering what the possibilities are for storing sensitive data in > hiera. > I read about hiera-gpg and it's increase in catalog compile time, I also > read about puppet-decrypt. > What would you advise to use? Are there any other plans to support > sensitive data natively in hiera? > > I think the use cases for encrypting puppet data are fewer and narrower than you suppose. In particular, it's nearly pointless to cryptographically protect anything when the decryption key is stored nearby. Such a juxtaposition of key and encrypted data will always be present on the master, because the master needs to decrypt the data. Anyone with sufficient access to the master to steal the encrypted data (from there) can also steal the key.
In principle, it might make sense to encrypt data stored in some less-secure place, such as a version-control system accessible to unprivileged staff, but the question then arises whether it makes sense to put sensitive data in such a place at all, encryption or no. If you nevertheless do store data in such a place, however, then you could consider whole-file decryption, to be decrypted as part of the process of syncing the data with the master (where it will afterward reside as plaintext) instead of repeatedly and piecewise as part of reading the data into Puppet. Of course, if all you need to do is provide an *illusion* of security, and you're willing to sacrifice catalog compilation performance (and therefore server capacity) to do it, then go for it! In that case, puppet-decrypt likely performs better than hiera-gpg, especially in Puppet 3. If you wanted to do, it probably wouldn't be too hard to build an hiera backend that used puppet-decrypt or something similar to encrypt just the values. That would be transparent to users, unlike canonical puppet-decrypt usage, and it would avoid the worst of the performance issues associated with the current version of hiera-gpg. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
