Published on 21 October 2014 by

If you’re already a bit familiar with Hiera, you know why it’s a good idea to separate your data from your Puppet manifests. In case you aren’t familiar, though, using Hiera lets you write and use reusable manifests and modules. You store your organization-specific data in Hiera, and then Puppet classes can request the data they need from your Hiera data store.

When facing the question of how to store your sensitive configuration data, such as passwords for your MySQL servers, the question is not why you should use Hiera, but how.

In the past, the de facto way to store sensitive data in Hiera was to use hiera-gpg. However, with hiera-gpg, the entire Hiera data file had to be encrypted. Recognizing that managing this kind of file over the long term would be a burden, Tom Poulton created hiera-eyaml. This enables Hiera users to encrypt data blocks within the eyaml file separately, making management much easier. (Editor's Note: eyaml is not a commercially supported backend for Puppet Enterprise.)

The setup

Setting up hiera-eyaml is not difficult. Simply use the Puppet Forge module puppet-hiera to manage your Hiera configuration and set your declaration to manage encryption. On your Puppet master:

Setting up hiera-eyaml

When you declare the Hiera class on your master, it uses the proper gem provider to install hiera-eyaml (pe_gem for Puppet Enterprise, and gem for open source Puppet). It then uses the installed gem to generate a private/public key pair to encrypt and decrypt data.

Additionally, the declaration uses a template to generate a hiera.yaml file that will look something like this:

Generating a hiera-eyaml file

This example assumes the master is Puppet Enterprise, which stores configuration data in /etc/puppetlabs/puppet. If you are using open source Puppet, the configuration directory will be under /etc/puppet. Using the Hiera module, you can override the values shown if you have configured your master differently than the example above.

In the above example, secure is our hiera-eyaml file, and it is the top of our hierarchy. That’s because you want your secure data settings to be the foremost override level in your hierarchy — secured key variables should be matched first.

The default file extension for the secure Hiera file is eyaml. However, if you want to use yaml, simply add the following line to your hiera.yaml, under the :eyaml: section:

:extension: ‘yaml’

Editing files

Now you’re set to use hiera-eyaml. To edit files, you have a few options.

The most obvious option is to log in to the Puppet master and edit the secure.eyaml file directly. Please don’t do this! You should minimize direct access to your master and keep track of your code by using version control to manage your Puppet and Hiera files. (And you are, aren’t you?)

The best option is for your Puppet developers to install the hiera-eyaml gem on their local working environments, copy only the public key locally to their hard drives and configure them using config.yaml:

~/.eyaml/config.yaml

---
pkcs7_public_key: ‘/Users/myuser/keys/eyaml/public_key.pkcs7.pem’

Once the configuration file and associated key are in the right place, you can directly manage the secure.eyaml file in your VCS repository directory. You can use the eyaml command to input your sensitive data and receive an encrypted block.

Inputting data and creating encrypted block

Next, copy and paste the text from after block: to the end of the block into yoursecure.eyaml file as you would any other Hiera yaml file.

Here’s the block in the secure.eyaml file:

Encrypted block in secure.eyaml file

Now that you have added a block to the secure.eyaml file, you can edit and change the password at any time.

eyaml edit secure.eyaml

This will open secure.eyaml using your default editor. The contents will look something like this:

Edit password in secure.eyaml file

Just edit the text between the brackets, save as you usually would in your default editor, and that’s it! You’re ready to commit the new version to your Puppet repository.

Just edit the text between the brackets, save as you usually would in your default editor, and that’s it! You’re ready to commit the new version to your Puppet repository.

Behind the scenes

You’ve installed hiera-eyaml and configured Hiera to use it. You’ve got your key management down and have committed your secure.eyaml to your repository. You’ve deployed the latest version to your Puppet master. What happens next?

Puppet will run on the agent and tell the master to compile a catalog as it usually does. However, servers that get the secure information will receive a catalog with decrypted values. This catalog is delivered to the node via SSL, so the information is protected while it is in transit.

Gotcha!

One thing that may be of some concern to you Puppetmasters out there is that hiera-eyaml changes are reported on, which will show up on dashboards like the Puppet Enterprise console. If you change a password, the diff will show up in reports, including on the console.

Don’t fret, you can still use hiera-eyaml even if your organization needs a higher level of security. You can bypass reporting by setting the show_diff metaparameter to “false” on sensitive resources.

Another solution is to write your own reporting processor to input and parse tags, suppressing reporting on given tags.

And that’s it! Congratulations, you’re now using hiera-eyaml. Your passwords are safe, and you can manage them quickly and easily in Hiera!

Terri Haber is a professional services engineer at Puppet Labs.

Learn More

Share via:
Posted in:
Tagged:

Hi,
I've chosen to use puppet + hiera-eyaml for a project I'm working on.
My question is the following: what is the best practice to replace the key and to update the encrypted values in the eyaml documents, in case the key were compromised or in the more favourable case of a routinely key rotation?

Thank you very much

Terri Haber

In reply to by Claudio B.

Unfortunately I know of no automated system to update the encrypted values. If you need to regenerate your keys, the values will need to be recreated. However, this does give me a great idea for a project to tackle. Thank you!

Terri Haber

In reply to by Claudio B.

If you are using the hunner-hiera module, you only need to delete the current keys on your master (after backing them up). The next Puppet run will re-generate the keys.

Right now I am not using hiera. I have many module work done. Can I use this just for one windows module? or do i have to update /change all the work that I have done. Does hiera impact all the work that I have done.?

I am running PE 3.7.2 on CentOS6. I was trying to run hiera-eyaml following the instruction by TomPoulton's article above. When I tried to install hiera-eyaml, I got the following error. Any suggestion how I can resolve this issue?

root@localhost:[/opt/puppet/bin]: puppetserver gem install hiera-eyaml
bash: puppetserver: command not found...

root@localhost:[/opt/puppet/bin]: puppet --version
3.7.4 (Puppet Enterprise 3.7.2)

Terri,

Thanks fore responding. I installed the pe_puppetserver_gem and ran the command again with another certificate error. I checked the ruby and gem versions, 2.0.0 and 2.0.15. Any suggestions how this issue can be resolved?

root@localhost:[/opt/puppet/bin]: ruby --version
ruby 2.0.0p598 (2014-11-13) [x86_64-linux]
root@localhost:[/opt/puppet/bin]: gem --version
2.0.15
root@localhost:[/opt/puppet/bin]: ./puppetserver gem install hiera-eyaml
ERROR: Could not find a valid gem 'hiera-eyaml' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - certificate verify failed (https://rubygems.org/latest_specs.4.8.gz)

Terri,

Thanks fore responding. I installed the pe_puppetserver_gem and ran the command again with another certificate error. I checked the ruby and gem versions, 2.0.0 and 2.0.15. Any suggestions how this issue can be resolved?

root@localhost:[/opt/puppet/bin]: ruby --version
ruby 2.0.0p598 (2014-11-13) [x86_64-linux]
root@localhost:[/opt/puppet/bin]: gem --version
2.0.15
root@localhost:[/opt/puppet/bin]: ./puppetserver gem install hiera-eyaml
ERROR: Could not find a valid gem 'hiera-eyaml' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - certificate verify failed (https://rubygems.org/latest_specs.4.8.gz)

The order of backends should be eyaml, then yaml. Then there is no need for the secure.eyaml file as there is no way a yaml file can overwrite a value already set in a eyaml-file. Or am I wrong?

This is too easy for anyone to be able to see the plaintext password
eyaml edit secure.eyaml

Can we put a password on this action itself?

Thanks

Add new comment

The content of this field is kept private and will not be shown publicly.

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.