Rotating the inventory service secret key
The inventory service uses a randomly-generated secret key to encrypt a connection entry's sensitive parameters.
Rotate the inventory service secret key
Rotate the secret key every 90 days to reduce the probability of an attacker compromising the secret key.
Stop the inventory service on the primary server. You can use
puppet resource service pe-orchestration-services ensure=stopped, where the pe-orchestration-services service contains both the orchestrator and inventory services.
- Stop the puppet service to ensure that a periodic Puppet run does not accidentally start the inventory service while you are rotating the secret key.
curl https://puppet.com/docs/pe/latest/files/key_rotation.rb -L --output key_rotation.rb
key_rotation.rbscript on the primary server. You must log in as the
rootuser or use
sudoto run the script with escalated privileges.The
If the inventory service's database is on a different host than the primary server, you must specify the URL using the
- Calculates the secret key directory and database URL by reading the inventory service's config file.
- Generates the new key and writes it to
- Uses psql to re-encrypt the old data with the new key.
- Moves the new key to the old key's location (
DATABASE_URLenvironment variable. This must be a valid postgreSQL URL. For example, the following invocation connects to the
inventory_servicedatabase as the
inventory_userwith the password
DATABASE_URL=postgres://inventory_user:inventory_password@remote_db_host/inventory_service key_rotation.rbIf re-encryption fails, you can re-run the script. The script does not generate another new key; instead, it detects the new key and skips to reattempt re-encryption.If moving the new key to old key's location fails, you must manually move the new key to the old key’s location. You can use:
mv <SECRET_KEY_DIR>/new_key.json <SECRET_KEY_DIR>/keys.json
mv etc/puppetlabs/orchestration-services/conf.d/secrets/new_key.json etc/puppetlabs/orchestration-services/conf.d/secrets/keys.json
key_rotation.rbscript to prevent unintentional secret key rotations.
Start the inventory service on the primary server. You can use
puppet resource service pe-orchestration-services ensure=running.
What to do nextBack up your infrastructure to capture the new secret key and re-encrypted data.