Hiera-gpg seems to be the standard way to to store encrypted data in hiera. Craig Dunn has a pretty good article on how to deploy and use it. Storing sensitive data encrypted is a pretty good idea, using asymmetric crypto is even better. But still I am frustrated.
First, let’s have a look at the problem space. In our case we have the following requirements:
- all configuration should be stored in a version control system – VCS (SNV / Git / …)
- sensitive data should be stored and transmitted securely
- only our puppet master should able to decrypt data
- anybody should be able to encrypt data
- authorization should be handled only by the VCS
hiera-gpg fills the first three requirements, but fails just short on 5 and 6.
To encrypt data, no problem, you create a new yaml file, encrypt it, publish it to your VCS. Anyone can access thewe puppet master’s public key, so anyone can encrypt data. As long as you have access to the VCS, you can publish this encrypted file.
Let’s face it, most of the time we don’t publish a brand new configuration, we modify an existing one. To modify it, we must have the plaintext version. We could either store the plaintext somewhere, but that defeats the whole purpose of encrypting it. We could encrypt data with our own public key to be able to retrieve the plaintext, but that defeats requirement #3. Further more, we work in teams. We could share our private key with our team, but key repudiation becomes an issue when people leave the company. And even more, we work with multiple teams, with divers responsibilities. No team should have the full knowledge of all our private information.
How can we do better …
Instead of encrypting the whole file, we can encrypt individual properties. Each property can than be modified by anyone, but read by no one. When you modify a property, you know its new value, but not its old value. We could even mix encrypted and non encrypted properties. The format would look like this:
--- - database: username: dbuser password: ENC(XXXXXXXX)
Anyone can modify this password, but nobody can decrypt it.
Now I just need time to learn ruby and write a hiera extension.