Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Encrypting sensitive
data for Puppet
Simon Hildrew!
The Guardian
@sihil
WHY BOTHER
It’ll only come back and slap you in the face
http://www.flickr.com/photos/35211570@N00/3144456275
Shared
Puppet

Sensitive
Puppet

Merge to
puppet
masters
Shared
Puppet

puppet master

private key
first stop: hiera-gpg
--db-host:
db.internal.gnm
username: cheese
password: wensleydale

vs.

<85>^A^L^C<96><AB>e2*<E0>
2^A^G<FE>:<8A><8C>c!
<E5...
http://www.flickr.com/photos/31348155@N03/7028040701

http://www.flickr.com/photos/9763931@N04/5443386117

$ git diff 0bdc4e...
hiera-eyaml
--plain-property: You can see me
encrypted-property: >

ENC[PKCS7,Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NO...
$ eyaml decrypt -e test.eyaml
---

plain-property: You can see me

encrypted-property: >

DEC::PKCS7[You can’t see me with...
$ eyaml edit test.eyaml
--plain-property: You can see me
encrypted-property: >
ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACA...
$ git diff a946fd1906c2fb0e489d60a9700b4c4d5a4a21ec test.eyaml
index b94910e..5c8508a 100644
--- a/test.eyaml
+++ b/test.e...
hiera-eyaml-gpg
list of GPG
recipients for
encrypting eyaml
files
That’s all
More info at https://github.com/TomPoulton/hiera-eyaml
!

Let us know if you use it and please do make pull
req...
Encrypting sensitive data for puppet
Encrypting sensitive data for puppet
Encrypting sensitive data for puppet
Encrypting sensitive data for puppet
Encrypting sensitive data for puppet
Upcoming SlideShare
Loading in …5
×

Encrypting sensitive data for puppet

1,826 views

Published on

This is a short talk I gave at London DevOps last night about why I contributed to the hiera-eyaml project.

Published in: Technology
  • Be the first to comment

Encrypting sensitive data for puppet

  1. 1. Encrypting sensitive data for Puppet Simon Hildrew! The Guardian @sihil
  2. 2. WHY BOTHER It’ll only come back and slap you in the face
  3. 3. http://www.flickr.com/photos/35211570@N00/3144456275
  4. 4. Shared Puppet Sensitive Puppet Merge to puppet masters
  5. 5. Shared Puppet puppet master private key
  6. 6. first stop: hiera-gpg
  7. 7. --db-host: db.internal.gnm username: cheese password: wensleydale vs. <85>^A^L^C<96><AB>e2*<E0> 2^A^G<FE>:<8A><8C>c! <E5><C8><C0><88><B5><B1>2 <91>K<F5><8F><9E>w<A5><C9 ><FB>^Y<93>'_<C5>H<C7>f<A 1><FC>V1]<EC>^D<DD>I<B8>< 81><96><FD><AA>Q<D6>w8<DD >~Q[H^M<88>r<E4>i<F2>^AZ8 ^E<C1><AF>^E<C5><DE>'2EL< A4>=<9D><FF><8B><BB>c:AW* C<C0><8A><CE><CD>S<F4>b09 ^Ca+<E0><D8>/ <85><F7><8D>N<D9>R<9E>c<F 4><93>$<AF>^L<CA><E0>7
  8. 8. http://www.flickr.com/photos/31348155@N03/7028040701 http://www.flickr.com/photos/9763931@N04/5443386117 $ git diff 0bdc4ea33 cat.jpeg Binary files a/cat.jpeg and b/cat.jpeg differ
  9. 9. hiera-eyaml
  10. 10. --plain-property: You can see me encrypted-property: >
 ENC[PKCS7,Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv
 NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh
 jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y
 l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd
 /HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm
 IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]
  11. 11. $ eyaml decrypt -e test.eyaml ---
 plain-property: You can see me
 encrypted-property: >
 DEC::PKCS7[You can’t see me without a key]!
  12. 12. $ eyaml edit test.eyaml
  13. 13. --plain-property: You can see me encrypted-property: > ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQAw DQYJKoZIhvcNAQEBBQAEggEAxqeLyrOtMJy392yNwpNUKPIJ441SRVAMNi84 wEGZVc9TIsRkWmMJGxpe+jy9edqnl552pbmD+B5ecfYQ5dehDVeos2CzFrMo CAV+qqvYml1nkbiBdPreZeUVZCLQLOw9I03z+iSEokGUy0x9702zjjK1mafq HWC/ClzdZh1UGxd+1hyGrw/dDOVsZqdLT1bWT+MT5BiyVlmeHFDMy7XFuJkg ER73t1WOC0sOrWwua37yKneDA/J5sFYrRypVD+QKLoFMtgxYYBldcenn+whB EJkMNrVTJzGkzo9HPaZ/dJFvBVGPDo6MxRqMFf2Tx/3Mq7bq6Ckoa6PNQiEz 4BS88TBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAvO3CeT6tosqRc8Vuu fOo3gCB5JxY9ihIbnUJJl0Iuw0qeS6UsqKJ7HSst6+qRH90t5w==] new-encrypted-property: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQAwDQY
 JKoZIhvcNAQEBBQAEggEAK7otMYeHetnvkQVXQkjedR/2bXSA6KlDlI7rFBsrXpwsj5A8UBo8N3t5MgKx6kMPQN6T3ILNBA/1
 k7HFhRAsd5biJ2g1Y4NO8iS7Jedm+zlZ6MQPK0NNtU3+hNHYUfv63jmqKMb9GWswTPaS6fTiWz/+mLl1chWBuK9BW9b6xW6Ob
 OxmK4kYf9xOo7w+OrJy02j4zLNVqCzOrb1zge5GvYmH1n+IncBz1WyPAoWJEjnFD1X6fdO32ulN1IYLzUSXkSVAASeN5Hb00/
 8GRtyQE1hNeS4ea640n/yHidGH3uTGnjNU9QoIqX7Yaqnpc/4E8WWY975gICNeFO/PBN1kLzBMBgkqhkiG9w0BBwEwHQYJYIZ
 IAWUDBAEqBBDmVUe4sJBuxBVvmPAQcIhngCBx3IP8BWsyypcX3q8rRql3/GwPHeJ5moe6Mt1KEMcWpw==]
  14. 14. $ git diff a946fd1906c2fb0e489d60a9700b4c4d5a4a21ec test.eyaml index b94910e..5c8508a 100644 --- a/test.eyaml +++ b/test.eyaml @@ -10,3 +10,4 @@ EJkMNrVTJzGkzo9HPaZ/dJFvBVGPDo6MxRqMFf2Tx/3Mq7bq6Ckoa6PNQiEz 4BS88TBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAvO3CeT6tosqRc8Vuu fOo3gCB5JxY9ihIbnUJJl0Iuw0qeS6UsqKJ7HSst6+qRH90t5w==] +new-encrypted-property: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEh
  15. 15. hiera-eyaml-gpg
  16. 16. list of GPG recipients for encrypting eyaml files
  17. 17. That’s all More info at https://github.com/TomPoulton/hiera-eyaml ! Let us know if you use it and please do make pull requests.

×