This post is all about the hiera-eyaml GitHub project which I created to provide per-value encryption of sensitive data in a yaml file that Hiera can then decrypt. I started this post mainly for the comments section so that people can leave questions, comments, suggestions, abuse, etc, but also to clean up the readme file so that it’s a bit more concise.
If you’ve started using hiera-eyaml (I hope it helps) and you’re having problems (sorry) please add an issue on GitHub to keep them all in the same place, and make it easier for anyone who may be looking.
The ‘inspiration’ for this little project came from 2 sources:
- An existing hiera encryption solution hiera-gpg
- This post on /dev/random that I found whilst looking for encryption options
Most of the reasons to create an alternative backend for Hiera are summed up in the /dev/random post, but the main one is the ability to encrypt each value individually and not the whole file. This provides a bit more transparency and allows those configuring Puppet to know where each value is defined. If something isn’t working within a hierarchical data source it’s nice to be able to see at a glance where each value is defined and where it should be overridden or added to.
I also ran into problems using hiera-gpg (not actually hiera-gpg’s fault but another project it uses internally ruby-gpgme which didn’t seem to recognise my keychain)
It’s not exactly the most compact syntax ever so I’ll try and find a way of slimming it down a bit. I did try using Zlib but that didn’t really help much.
eYaml doesn’t support keys with a passphrase yet, but as Craig Dunn explains in his post about hiera-gpg “it would mean having the password stored in /etc/puppet/hiera.yaml as plaintext anyway, so I don’t see that as adding much in the way of security.”
GPG seems to have this secure “feel to it” so there might be a better encryption method to use than a pair of pem keys.
Apologies for the state of the blog, I’ll sort out a better theme and CSS when I get a chance.
hiera-eyaml is now up on rubygems so download and install with ease!
Thank you to Craig Dunn for his work on hiera-gpg and corresponding blog post mentioned above, it definitely made it easier to write this having his code as a reference.