Puppet users - May 2013 - sensitive data in hiera

Hello all,

I was wondering what the possibilities are for storing sensitive data in 
hiera. 
I read about hiera-gpg and it''s increase in catalog compile time, I
also
read about puppet-decrypt.
What would you advise to use? Are there any other plans to support 
sensitive data  natively in hiera?

Best Regards,
Jo

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

On Wednesday, May 15, 2013 4:46:45 AM UTC-5, jdt wrote:
>
> Hello all,
>
> I was wondering what the possibilities are for storing sensitive data in 
> hiera. 
> I read about hiera-gpg and it''s increase in catalog compile time,
I also
> read about puppet-decrypt.
> What would you advise to use? Are there any other plans to support 
> sensitive data  natively in hiera?
>
>
I think the use cases for encrypting puppet data are fewer and narrower 
than you suppose.  In particular, it''s nearly pointless to 
cryptographically protect anything when the decryption key is stored 
nearby.  Such a juxtaposition of key and encrypted data will always be 
present on the master, because the master needs to decrypt the data.  
Anyone with sufficient access to the master to steal the encrypted data 
(from there) can also steal the key.

In principle, it might make sense to encrypt data stored in some 
less-secure place, such as a version-control system accessible to 
unprivileged staff, but the question then arises whether it makes sense to 
put sensitive data in such a place at all, encryption or no.  If you 
nevertheless do store data in such a place, however, then you could 
consider whole-file decryption, to be decrypted as part of the process of 
syncing the data with the master (where it will afterward reside as 
plaintext) instead of repeatedly and piecewise as part of reading the data 
into Puppet.

Of course, if all you need to do is provide an *illusion* of security, and 
you''re willing to sacrifice catalog compilation performance (and
therefore
server capacity) to do it, then go for it!  In that case, puppet-decrypt 
likely performs better than hiera-gpg, especially in Puppet 3.  If you 
wanted to do, it probably wouldn''t be too hard to build an hiera
backend
that used puppet-decrypt or something similar to encrypt just the values.  
That would be transparent to users, unlike canonical puppet-decrypt usage, 
and it would avoid the worst of the performance issues associated with the 
current version of hiera-gpg.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.