fiddyspence's blog

Puppet Data Encryption

Some time ago, I wrote a backend for Hiera to provide another option for encrypting/decrypting data at rest.  It exists in the same kind of problem space as hiera-gpg, but with the additional downside that you don’t quite have the flexibility that you do with GPG keyrings.  It does have the advantage that it just uses Puppet SSL certs, so there aren’t any external requirements for e.g. GPG.  I always planned on having a specific SSL keypair to do the work so as not to compromise host keys.

That code is here: https://github.com/fiddyspence/hiera-puppetcert

It’s quite well integrated - there is a Puppet face to encrypt the YAML data that hiera will query, and the backend will decrypt that data so you get the privacy of your data in your VCS/backup systems etc.  What it lacked was flexibility in terms of the implementation.

What I really wanted to be able to do was to reuse the encryption routines in a portable way to do encryption/decryption using a library but across different bits of Puppet, but this implementation sucked for that.   The aim was to be able to reasonably sensibly implement fact encryption, so sensitive data can get passed around and only be decrypted in memory but held reasonably safely at rest.

I realised last week, after implementing some mcollective magic to do config file hacking (http://ibroketheinternet.co.uk/blog/2012/12/01/mcollective-config-file-hackage/) that I could reimplement the functions into a Puppet::Util class(thanks to cprice404 for the inspiration), and use them wherever I wanted to.  The advantage of this is that you get to pluginsync the Util class, and Puppet will be able to load it.

[root@puppet certencryption]# tree
├── lib
│   └── puppet
│       └── util
│           └── certencryption.rb

Admittedly, the implementation of the actual encryption is also a bit hacky, but that’s relatively easy to change to something better (on the roadmap).

So, I give you https://github.com/fiddyspence/puppet-certencryption or Puppet::Util::Certencryption as it’s better known.

Watch this space for the fact encryption code - should be along shortly.