Changes

ReleaseEngineering/PuppetAgain/Secrets

13 bytes removed, 09:20, 4 October 2016

→‎Using EYAML: Add subsections to highlight strings vs files

Secrets are accessed via hiera, using hiera-eyaml. That means that the secrets files are regular YAML files, but contain ciphertext enclosed by ENC[..] where secrets are protected. The public and private keys used for this encryption are stored on the puppetmasters themselves.

~~To encrypt a new *password*, as~~ === Encrypt strings (like passwords) === As root on any puppetmaster, use:

eyaml encrypt --pkcs7-private-key /etc/hiera/keys/private_key.pem --pkcs7-public-key /etc/hiera/keys/public_key.pem \

python -c "import yaml; f=open('secrets.eyaml','r'); yaml.load(f)" && echo "pass" || echo "FAIL"

To encrypt a new *file* === Encrypt files (e.g. a private ~~key~~keys) ~~rather than a password, pipe~~ === Pipe the contents of the file to the above command, and replace --password with --stdin, e.g.

cat secret_file | eyaml encrypt --pkcs7-private-key /etc/hiera/keys/private_key.pem --pkcs7-public-key /etc/hiera/keys/public_key.pem \

Jlorenzo

Confirm

210

edits

Changes

ReleaseEngineering/PuppetAgain/Secrets

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools