Puppet users - Jun 2013 - Raziel - a partial encrypted Hiera backend

Hi everyone,

In my environment, we heavily rely on Hiera to parametrize our modules.
Like the Puppet code, I would like to version-control the Hiera .yaml
files. However committing passwords in plain text to GitHub seems really
odd.

So I would like to make you aware of one of my side-projects called Raziel.
https://github.com/jbraeuer/raziel/
http://bit.ly/raziel-slides

While there is one approach (hiera-gpg), this renders most of the
version-control features useless, as the whole file is encrypted. With
Raziel, keys are selectively encrypted, so your .yaml file may read like

---
mail.user: automation@commercetools.de
mail.password:
ENC(jA0EAwMCsYQ4Nyhcgx9gySZ1Z5HPMDbSxI9TL11UrSbIxApQNeZ+uMJqwkrTNwKgs4qkD5FDgA==)
mail.server: smtp.googlemail.com

Encryption is based on GPG via ruby-gpgme. The values itself are
encrypted symmetric. The symmetric key is encrypted with asymmetric
crypto, which allows fine grained control over attribute visibility.

Enjoy,
Jens


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Hi,

this does look potentially helpful. Thanks for sharing!

On 06/24/2013 03:26 PM, Jens Braeuer wrote:
> Hi everyone,
> 
> In my environment, we heavily rely on Hiera to parametrize our modules.
> Like the Puppet code, I would like to version-control the Hiera .yaml
> files. However committing passwords in plain text to GitHub seems really
> odd.
> 
> So I would like to make you aware of one of my side-projects called Raziel.
> https://github.com/jbraeuer/raziel/
> http://bit.ly/raziel-slides
> 
> While there is one approach (hiera-gpg), this renders most of the
> version-control features useless, as the whole file is encrypted. With
> Raziel, keys are selectively encrypted, so your .yaml file may read like
> 
> ---
> mail.user: automation@commercetools.de
> mail.password:
>
ENC(jA0EAwMCsYQ4Nyhcgx9gySZ1Z5HPMDbSxI9TL11UrSbIxApQNeZ+uMJqwkrTNwKgs4qkD5FDgA==)
> mail.server: smtp.googlemail.com
> 
> Encryption is based on GPG via ruby-gpgme. The values itself are
> encrypted symmetric. The symmetric key is encrypted with asymmetric
> crypto, which allows fine grained control over attribute visibility.
> 
> Enjoy,
> Jens
> 
> 
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Good idea, and much needed IMHO. Thanks!

Martijn

Op maandag 24 juni 2013 15:26:50 UTC+2 schreef Jens Braeuer het
volgende:
>
> So I would like to make you aware of one of my side-projects called 
> Raziel. 
> https://github.com/jbraeuer/raziel/ 
> http://bit.ly/raziel-slides 
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.