Embed Size (px)
DESCRIPTION
This is a short talk I gave at London DevOps last night about why I contributed to the hiera-eyaml project.
Citation preview
Encrypting sensitive data for Puppet
Simon Hildrew!The Guardian
@sihil
W H Y B O T H E RIt’ll only come back and slap you in the face
http://www.flickr.com/photos/35211570@N00/3144456275
Shared Puppet
Sensitive Puppet
Merge to puppet masters
Shared Puppet
puppet master private key
first stop: hiera-gpg
--- db-host: db.internal.gnm username: cheese password: wensleydale
<85>^A^L^C<96><AB>e2*<E0>2^A^G<FE>:<8A><8C>c!<E5><C8><C0><88><B5><B1>2<91>K<F5><8F><9E>w<A5><C9><FB>^Y<93>'_<C5>H<C7>f<A1><FC>V1]<EC>^D<DD>I<B8><81><96><FD><AA>Q<D6>w8<DD>~Q[H^M<88>r<E4>i<F2>^AZ8^E<C1><AF>^E<C5><DE>'2EL<A4>=<9D><FF><8B><BB>c:AW*C<C0><8A><CE><CD>S<F4>b09^Ca+<E0><D8>/<85><F7><8D>N<D9>R<9E>c<F4><93>$<AF>^L<CA><E0>7
vs.
$ git diff 0bdc4ea33 cat.jpeg Binary files a/cat.jpeg and b/cat.jpeg differ
http://www.flickr.com/photos/9763931@N04/5443386117http://www.flickr.com/photos/31348155@N03/7028040701
hiera-eyaml
--- plain-property: You can see me encrypted-property: > ENC[PKCS7,Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd /HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]
$ eyaml decrypt -e test.eyaml --- plain-property: You can see me encrypted-property: > DEC::PKCS7[You can’t see me without a key]!
$
$ eyaml edit test.eyaml
--- plain-property: You can see me encrypted-property: > ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQAw DQYJKoZIhvcNAQEBBQAEggEAxqeLyrOtMJy392yNwpNUKPIJ441SRVAMNi84 wEGZVc9TIsRkWmMJGxpe+jy9edqnl552pbmD+B5ecfYQ5dehDVeos2CzFrMo CAV+qqvYml1nkbiBdPreZeUVZCLQLOw9I03z+iSEokGUy0x9702zjjK1mafq HWC/ClzdZh1UGxd+1hyGrw/dDOVsZqdLT1bWT+MT5BiyVlmeHFDMy7XFuJkg ER73t1WOC0sOrWwua37yKneDA/J5sFYrRypVD+QKLoFMtgxYYBldcenn+whB EJkMNrVTJzGkzo9HPaZ/dJFvBVGPDo6MxRqMFf2Tx/3Mq7bq6Ckoa6PNQiEz 4BS88TBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAvO3CeT6tosqRc8Vuu fOo3gCB5JxY9ihIbnUJJl0Iuw0qeS6UsqKJ7HSst6+qRH90t5w==] new-encrypted-property: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQAwDQYJKoZIhvcNAQEBBQAEggEAK7otMYeHetnvkQVXQkjedR/2bXSA6KlDlI7rFBsrXpwsj5A8UBo8N3t5MgKx6kMPQN6T3ILNBA/1k7HFhRAsd5biJ2g1Y4NO8iS7Jedm+zlZ6MQPK0NNtU3+hNHYUfv63jmqKMb9GWswTPaS6fTiWz/+mLl1chWBuK9BW9b6xW6ObOxmK4kYf9xOo7w+OrJy02j4zLNVqCzOrb1zge5GvYmH1n+IncBz1WyPAoWJEjnFD1X6fdO32ulN1IYLzUSXkSVAASeN5Hb00/8GRtyQE1hNeS4ea640n/yHidGH3uTGnjNU9QoIqX7Yaqnpc/4E8WWY975gICNeFO/PBN1kLzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDmVUe4sJBuxBVvmPAQcIhngCBx3IP8BWsyypcX3q8rRql3/GwPHeJ5moe6Mt1KEMcWpw==]
$ git diff a946fd1906c2fb0e489d60a9700b4c4d5a4a21ec test.eyaml index b94910e..5c8508a 100644 --- a/test.eyaml +++ b/test.eyaml @@ -10,3 +10,4 @@ EJkMNrVTJzGkzo9HPaZ/dJFvBVGPDo6MxRqMFf2Tx/3Mq7bq6Ckoa6PNQiEz 4BS88TBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAvO3CeT6tosqRc8Vuu fOo3gCB5JxY9ihIbnUJJl0Iuw0qeS6UsqKJ7HSst6+qRH90t5w==] +new-encrypted-property: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEh
hiera-eyaml-gpg
list of GPG recipients for encrypting eyaml files
That’s allMore info at https://github.com/TomPoulton/hiera-eyaml !Let us know if you use it and please do make pull requests.
