Encryption is not required for most of the files (such as logs and the support script) that we request when troubleshooting your issues. However, starting with Puppet Enterprise 2016.4.11, 2017.3.6, and 2018.1.0, the support script can be automatically GPG encrypted using the
You might need to remove sensitive content from the support script tarball prior to encryption or encrypt files requested by Support in the following situations:
- Your workplace requires it.
- Your files contain sensitive information.
For example, verifying SSL-encrypted traffic between the Puppet primary server (called the master in older versions of PE) and an agent requires traffic to be captured in a network trace. In order for us to decrypt the traffic, we need the private SSL keys from your primary server and agent. You must encrypt these private keys to securely transmit them.
Use the following steps to install GnuPG (Gnu Privacy Guard or GPG), a free and open implementation of the OpenPGP standard, and encrypt your files with the Puppet Support public key using 4096 bit RSA encryption. After encryption, only Support team members using our private key can decrypt your files.
Note: We cannot troubleshoot third-party software. If you have issues with GnuPG, request help from the GNU mailing lists.
For each machine you use to encrypt files:
The fingerprint for Support's public key is
If you need to verify the fingerprint, contact us.
Use the following command to encrypt files:
gpg --output <ENCRYPTED FILE NAME> --armor --encrypt --recipient firstname.lastname@example.org <UNENCRYPTED FILE NAME>
For example, to encrypt a file named
testkey.pemas an ASCII-Armor encrypted file called
gpg --output testkey.pem.asc --armor --encrypt --recipient email@example.com testkey.pem