Puppet users - Nov 2013 - Puppet: a way to secure certain files

Hi!

I''m trying to secure some data inside my puppet repository. Some
passwords and private ssh keys.
I have discovered a plenty of ways to secure passwords - hiera gpg,
puppet-decrypt, extlookup  and so on. What about files? Is there a decent way to
encrypt files, for example ssh keys?

--
Best reagards,
Sergey Arlashin

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/6A2CB173-BF75-4D1E-B0AB-14C3831769E3%40gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

You can use hiera gpg for ssh keys too.

See this example:

https://groups.google.com/d/msg/puppet-users/jHcuKQXT9cQ/g23Lmf4e6b8J


On Tue, Nov 19, 2013 at 1:03 PM, Sergey Arlashin <
sergeyarl.maillist@gmail.com> wrote:
> Hi!
>
> I''m trying to secure some data inside my puppet repository. Some
passwords
> and private ssh keys.
> I have discovered a plenty of ways to secure passwords - hiera gpg,
> puppet-decrypt, extlookup  and so on. What about files? Is there a decent
> way to encrypt files, for example ssh keys?
>
> --
> Best reagards,
> Sergey Arlashin
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/puppet-users/6A2CB173-BF75-4D1E-B0AB-14C3831769E3%40gmail.com
> .
> For more options, visit https://groups.google.com/groups/opt_out.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAPGcbtCp9wGjnYWrN-sym7urZYisuG9ee5sHJjJELAsgntEAeQ%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

On Wednesday, November 20, 2013 12:06:35 AM UTC-6, Rich Burroughs
wrote:
>
> You can use hiera gpg for ssh keys too.
>
> See this example:
>
> https://groups.google.com/d/msg/puppet-users/jHcuKQXT9cQ/g23Lmf4e6b8J
>
>
>
But you would be unwise to do that in conjunction with Puppet 3, unless you 
fall into one of a small number of special cases.  If you add the hiera-gpg 
back end to your hiera configuration then the encrypted file will be 
decrypted once for each class parameter that is neither explicitly assigned 
a value nor resolved in a higher-priority back end.  Decrypting the file is 
very expensive, and if you do it many times then you will see a very 
noticeable impact on catalog compilation performance.  There have been 
reports on this group of such decryption adding several minutes of 
compilation time for catalogs that otherwise take a few seconds.

That decryption overhead will not affect you if you use few (or no) 
parameterized classes (watch out for third-party modules!), if you take 
care to assign values to all class parameters of every declared class 
(again, beware third party modules here), or if you are using Puppet 2 
rather than Puppet 3.

You should consider whether it really makes sense to encrypt at all, vs. 
simply securing the master against unauthorized users.  If you encrypt then 
you must record the plaintext decryption key somewhere that the master can 
read it, and if you hypothesize an assailant that is savvy enough to track 
down sensitive information in your Puppet configs then you should assume 
that that assailant can also find the decryption key.  In fact, such an 
assailant must also break your access controls to reach the sensitive 
information, meaning that they must have gained root access to your server 
before encryption is even a factor.  If an assailant gains root then
it''s
already game over.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/59d9ed61-8fb3-4b51-bf1d-5d96feab83d8%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Thank you!

On Nov 20, 2013, at 9:02 PM, jcbollinger <John.Bollinger@stJude.org>
wrote:
> 
> 
> On Wednesday, November 20, 2013 12:06:35 AM UTC-6, Rich Burroughs wrote:
> You can use hiera gpg for ssh keys too.
> 
> See this example:
> 
> https://groups.google.com/d/msg/puppet-users/jHcuKQXT9cQ/g23Lmf4e6b8J
> 
> 
> 
> 
> But you would be unwise to do that in conjunction with Puppet 3, unless you
fall into one of a small number of special cases.  If you add the hiera-gpg back
end to your hiera configuration then the encrypted file will be decrypted once
for each class parameter that is neither explicitly assigned a value nor
resolved in a higher-priority back end.  Decrypting the file is very expensive,
and if you do it many times then you will see a very noticeable impact on
catalog compilation performance.  There have been reports on this group of such
decryption adding several minutes of compilation time for catalogs that
otherwise take a few seconds.
> 
> That decryption overhead will not affect you if you use few (or no)
parameterized classes (watch out for third-party modules!), if you take care to
assign values to all class parameters of every declared class (again, beware
third party modules here), or if you are using Puppet 2 rather than Puppet 3.
> 
> You should consider whether it really makes sense to encrypt at all, vs.
simply securing the master against unauthorized users.  If you encrypt then you
must record the plaintext decryption key somewhere that the master can read it,
and if you hypothesize an assailant that is savvy enough to track down sensitive
information in your Puppet configs then you should assume that that assailant
can also find the decryption key.  In fact, such an assailant must also break
your access controls to reach the sensitive information, meaning that they must
have gained root access to your server before encryption is even a factor.  If
an assailant gains root then it''s already game over.
> 
> 
> John
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/59d9ed61-8fb3-4b51-bf1d-5d96feab83d8%40googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/C08FC97C-6503-46A1-B204-DBE0B7243794%40gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.