Always assume your git repo is compromised.
This is not far-fetched, as a git repo lives on every developer desktop and laptop. So, should a device be stolen, the thieving party has a full copy of your control repo… Including all your passwords, hostnames, service endpoints etc. This is a very bad position to find yourself in!
In the beginning, there was a feature called hiera-gpg, that would encrypt your Hiera data files to overcome this issue. Naturally this was laborious and not easy to maintain. eYaml to the rescue!
Thanks to eYaml, one can now encrypt a single value entry without losing readability of the file!
Let’s dig into how to install this. Note, I will be doing this on the newly stood up PE server we stood up in the previous post.
In PE, the eyaml gem is already included, so that part is easy!
First, create and secure the encryption keys:
# cd /etc/puppetlabs/puppet
# eyaml createkeys
# chown -R pe-puppet:pe-puppet /etc/puppetlabs/puppet/keys
# chmod -R 0500 /etc/puppetlabs/puppet/keys
# chmod 0400 /etc/puppetlabs/puppet/keys/*.pemOne of the great things about eyaml, is you only need the public key to encrypt a variable. Thus, you can freely distribute the public key to all your devs, and they can encrypt and add the encrypted passwords to their module, but not have the ability to decrypt them. This means that you can even add your public key to your control repo, and anyone that clones your control repo, will be able to contribute secure passwords into your environment without fear of compromise.
To test eyaml, let’s encrypt a string:
# eyaml encrypt -s 'hello there'
string: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEASqy3RPgLcnT5Q2+hWXHVT7qhngEPU7hf8U8Yh1nS3Xhu7Zq2QBQcD9wNKg75pbYnhd6dedPavxx1JpoI+d4TDOMLKbcJpjfTqOh7mX8exiPK4HFdU0RvV09nmiFfqLoyXkevSQ4hPaeQNvedtkn+qIGKaHCGtHg1BxBec1e/+nBiWR8e7F4AqaG78NoTOmrzBMIyxIBA4Lq6u8TEtBgVLPyTxf6NHy1gykhJG/7FQ65oAfHHRAnB1sZYpWiFqTqquvLAKl+n3CwBezH6197+4/TXM66dwOq/CWPid34PIkPY/E6nu99cC2UICOpbdqb2C3bPV7NsU5t00UY7d4JXJzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCO7as/chh4akkhv9F1O41ogBBnot/Mo3++B7kArM18DJUM]
OR
block: >
ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
DQYJKoZIhvcNAQEBBQAEggEASqy3RPgLcnT5Q2+hWXHVT7qhngEPU7hf8U8Y
h1nS3Xhu7Zq2QBQcD9wNKg75pbYnhd6dedPavxx1JpoI+d4TDOMLKbcJpjfT
qOh7mX8exiPK4HFdU0RvV09nmiFfqLoyXkevSQ4hPaeQNvedtkn+qIGKaHCG
tHg1BxBec1e/+nBiWR8e7F4AqaG78NoTOmrzBMIyxIBA4Lq6u8TEtBgVLPyT
xf6NHy1gykhJG/7FQ65oAfHHRAnB1sZYpWiFqTqquvLAKl+n3CwBezH6197+
4/TXM66dwOq/CWPid34PIkPY/E6nu99cC2UICOpbdqb2C3bPV7NsU5t00UY7
d4JXJzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCO7as/chh4akkhv9F1
O41ogBBnot/Mo3++B7kArM18DJUM]
With eyaml, you have the option to use a string or a block depending on your style preference.
Now let’s update our PE infrastructure to use the newly created keys to decrypt secrets.
Note that this is set for each environment, should you want to use different keys for each environment. How you categorize your yaml data is entirely up to you, you can have a mismatch of yaml and eyaml. The options are literally endless, we’ll just go for a basic setup.
In your control repo, edit the appropriate hiera.yaml file in the branch you want to secure, and make the following example updates (feel free to customize based on your environment).
A fresh install will look similar to this:
Update that to look similar to this:
---
version: 5
defaults:
datadir: "data"
hierarchy:
- name: 'Eyaml backend'
data_hash: yaml_data
lookup_key: eyaml_lookup_key
paths:
- "nodes/%{trusted.certname}.yaml"
- 'common.yaml'
options:
pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"
To show there are no line breaks, here a screen grab of the file:
That is it, you can now replace key value pairs in your hiera, with encrypted secrets! For example:
Enjoy your more secure repositories!