Canmove, confirm
1,394
edits
Changes
no edit summary
Secrets are accessed via hiera, using hiera-eyaml. That means that the secrets files are regular YAML files, but contain ciphertext enclosed by ENC[..] where secrets are protected. The public and private keys used for this encryption are stored on the puppetmasters themselves.
To encrypt a new *password*, as root on an [https://wiki.mozilla.org/ReleaseEngineering/Puppet#Masters authoritative any puppetmaster], use:
eyaml encrypt --pkcs7-private-key /etc/hiera/keys/private_key.pem --pkcs7-public-key /etc/hiera/keys/public_key.pem \
