You use hiera-eyaml to encrypt sensitive data. You’ve stored your hiera-eyaml keys securely on your primary server. Puppet infrastructure nodes need to access these keys to decrypt data when the agent runs on other nodes. You want to copy these keys to compilers and a replica so that they can decrypt data as needed but are not sure how to do it.
Version and installation information
PE version: All supported
Solution
There’s no built-in feature in Puppet Enterprise to sync keys from the primary server to the compilers and a replica.
To securely copy these keys, you can either include them in the initial provisioning of your nodes or manually copy them to existing infrastructure nodes. In either case, you can use the filepaths and permissions suggested in the gem’s README.
Caution: Do not use either of the following methods to copy hiera-eyaml keys.
-
Don’t use the
fileresource content attribute and Hiera to copy keys to infrastructure nodes. This method is insecure because when the keys are initially copied to the compilers and a replica they are not encrypted. -
Don’t use file sync to move keys or other files. File sync is designed to be used only for code deployment, using it for other purposes is unsupported.
How can we improve this article?
0 comments
Please sign in to leave a comment.
Related articles