Alex Harvey
2014-Apr-13 10:05 UTC
[Puppet Users] Hiera, version control & encrypted backends
Hi all, I'm pondering a design problem and would appreciate some advice: A reason for externalising data in Hiera is often said to be so that configuration data can be stored in a version control system, e.g. http://puppetlabs.com/blog/first-look-installing-and-using-hiera Meanwhile, the reason for using an encrypted Hiera backend is so that sensitive configuration data can be stored in Hiera, e.g. http://www.craigdunn.org/2011/10/secret-variables-in-puppet-with-hiera-and-gpg/ Thus, there is a catch: if data is too sensitive to be stored in an unencrypted Hiera backend, it is probably too sensitive to be stored in a version control system like git. I've seen people out there have considered encrypted version control systems, others have said sensitive configuration data shouldn't be stored at all, and so on - I can't find much discussion of the problem itself though. After thinking about it for a while, the best I could come up with was supposing there ought to be a way of partially encrypting the Hiera backend, and perhaps dealing with it using a separate level in the hierarchy. I note the Raziel project along these lines by Jens Bräuer: https://github.com/jbraeuer/raziel/ http://bit.ly/raziel-slides Is this more of an open problem or has the community come up with a best practice recommendation here? Kind regards, Alex -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c13c06e9-8370-4dea-8210-13774da934ae%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.