Storing secret data with hiera-gpg

If you're using Hiera to store your configuration data, there's a gem available called hiera-gpg that adds an encryption backend to Hiera to allow you to protect values stored in Hiera.

Getting ready

To set up hiera-gpg, follow these steps:

1. Install the ruby-dev package; it will be required to build the hiera-gpg gem as follows:

   root@puppet:~# puppet resource package ruby-dev ensure=installed
   Notice: /Package[ruby-dev]/ensure: ensure changed 'purged' to 'present'
   package { 'ruby-dev':
    ensure => '1:1.9.3',
   }
   

2. Install the hiera-gpg gem using the gem provider:

   root@puppet:~# puppet resource package hiera-gpg ensure=installed provider=gem
   Notice: /Package[hiera-gpg]/ensure: created
   package { 'hiera-gpg':
    ensure => ['1.1.0'],
   }
   

3. Modify your hiera.yaml file as follows:

       :hierarchy:
           - secret
           - common
       :backends:
           - yaml
           - gpg
       :yaml:
           :datadir: '/etc/puppet/hieradata'
       :gpg:
           :datadir: '/etc/puppet/secret'

How to do it...

In this example, we'll create a piece of encrypted data and retrieve it using hiera-gpg as follows:

1. Create the secret.yaml file at /etc/puppet/secret with the following contents:

   top_secret: 'Val Kilmer'
   

2. If you don't already have a GnuPG encryption key, follow the steps in the Using GnuPG to encrypt secrets recipe in Chapter 4, Working with Files and Packages.
3. Encrypt the secret.yaml file to this key using the following command (replace the puppet@puppet.example.com with the e-mail address you specified when creating the key). This will create the secret.gpg file:

   root@puppet:/etc/puppet/secret# gpg -e -o secret.gpg -r puppet@puppet.example.com secret.yaml 
   root@puppet:/etc/puppet/secret# file secret.gpg
   secret.gpg: GPG encrypted data
   

4. Remove the plaintext secret.yaml file:

   root@puppet:/etc/puppet/secret# rm secret.yaml
   

5. Modify your default node in the site.pp file as follows:

   node default {
    $message = hiera('top_secret','Deja Vu')
    notify { "Message is $message": }
   }
   

6. Now run Puppet on a node:

   [root@hiera-test ~]# puppet agent -t
   Info: Caching catalog for hiera-test.example.com
   Info: Applying configuration version '1410508276'
   Notice: Message is Deja Vu
   Notice: /Stage[main]/Main/Node[default]/Notify[Message is Deja Vu]/message: defined 'message' as 'Message is Deja Vu'
   Notice: Finished catalog run in 0.08 seconds
   

How it works...

When you install hiera-gpg, it adds to Hiera, the ability to decrypt .gpg files. So you can put any secret data into a .yaml file that you then encrypt to the appropriate key with GnuPG. Only machines that have the right secret key will be able to access this data.

For example, you might encrypt the MySQL root password using hiera-gpg and install the corresponding key only on your database servers. Although other machines may also have a copy of the secret.gpg file, it's not readable to them unless they have the decryption key.

There's more...

You might also like to know about hiera-eyaml, another secret-data backend for Hiera that supports encryption of inpidual values within a Hiera data file. This could be handy if you need to mix encrypted and unencrypted facts within a single file. Find out more about hiera-eyaml at https://github.com/TomPoulton/hiera-eyaml.

See also

• The Using GnuPG to encrypt secrets recipe in Chapter 4, Working with Files and Packages.