18

What is the best way to store and handle sensitive information with puppet and safely distribute it to your nodes?

The version I am using is 2.7.

One example would be database passwords. Plain text passwords are needed on your application servers.

How can one store these without leaving them lying around inside of the puppet scripts?

Pigueiras
  • 18,778
  • 10
  • 64
  • 87
stellard
  • 5,162
  • 9
  • 40
  • 62
  • 1
    Is this a programming question? – Oliver Charlesworth Jun 23 '12 at 17:19
  • You need to provide much more information. What version of puppet? What information? /etc/passwd and /etc/shadow? ssh keys? A user password of some sort which you need to assign to a user when the virtual is instantiated? – thisfeller Jun 24 '12 at 02:13
  • 1
    holy crap!. Im sorry that my question isn't clear enough. The version is 2.7. I thought the question was clear. I will edit it. – stellard Jun 24 '12 at 14:23
  • @Oli Charlesworth maybe a better place would be Sever Fault. – stellard Jun 24 '12 at 14:50
  • 6
    @Rook maybe if you knew puppet you wouldn't be so confused. Thanks for your feedback though. – stellard Jun 24 '12 at 14:51
  • @stellard Maybe if you linked to puppet or anything else on the topic you wouldn't have people trying to close your poorly written question. – rook Jun 24 '12 at 19:58
  • 7
    @Rook Puppet was in the title, the body and in the tags. Thanks again for your contribution. – stellard Jun 24 '12 at 21:30
  • 8
    @Rook, what is the problem, Puppet to people qualified to answer the question is obvious enough, if you dont understand the question or cannot add positively to the discussion, you should really consider keeping quiet on the issue (try googling puppet if you are interested in learning about it). – nodrog Jun 25 '12 at 08:21
  • @nodrog i did google puppet, and i got at least 10 software packages. Horrible name, horrible question. – rook Jun 25 '12 at 18:09
  • 1
    @Rook, can you see that JKG totally understood the question and answered it. As a community if we were to vote for close on ever question we did not personally understand, stackoverflow would be much poorer for it. You ignorance on one particular subject is no reason to close a question. – nodrog Jun 26 '12 at 12:55

2 Answers2

20

Using Hiera for external data lookups and encrypting that data via eyaml or GPG is a good start.

https://docs.puppet.com/hiera/

https://puppet.com/blog/encrypt-your-data-using-hiera-eyaml

http://leebriggs.co.uk/blog/2016/11/15/using-hiera-eyaml-gpg.html

Peter Souter
  • 5,110
  • 1
  • 33
  • 62
JKG
  • 496
  • 4
  • 6
2

Another option, but I haven't tried it personally. https://forge.puppetlabs.com/sshipway/ss

Of course, this does require putting the data into a secure vault but that seems much more secure than storing sensitive data in Hiera.

jamiescott
  • 21
  • 2