Where do you store sensitive files with puppet+git approach?

[Vaidas Jablonskis]

Hi People,

I have a quick question, which hopefully you will have an answer to.

I am slowly moving towards puppet and git with multiple branches for different environments. Things are going pretty well, but now I have a small issue. The question is where should I store sensitive files, for instance SSL private keys or some files which contain sensitive data?

I am aware of hiera-gpg storage backend, but that is more suitable for storing plain text strings rather than actual files - correct me if I am wrong?

I am looking forward to hear your opinion on this subject.

Thanks in advance.

  -- Vaidas

[Aaron Grewell]

We use hiera-gpg for ours. Files containing sensitive information are converted into templates so that only the necessary strings are included in gpg.  If we really needed to distribute full files I would probably build a separate directory tree backed by its own repository for this. It's just never been necessary for us.

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/DjQqqdK2NJ4J.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

[Derek Olsen]

We use hiera-gpg for file type sensitive information as well. For
sensitive information which is actually a file (ssh private keys) we
moved that into hiera-gpg and just set the yaml markup accordingly so
the information could be used to populate the file in question in the
correct format.

For example this is what a private key looks like in yaml. The "|"
and leading indentation keeps the content in the same format as it
passes through the hands of the different villagers on the way to it's
home in the id_dsa file.

professor_plumbs_private_key: |
-----BEGIN DSA PRIVATE KEY-----
GOODSTUFFHERE
THEGOODSTUFFCONTINUES
-----END DSA PRIVATE KEY-----

Then to create the key file. (Hiera call done as part of class param)

file { "/blah/blah/.ssh/id_dsa":
content => $professor_plumbs_private_key;
}


I'm sure the same approach could be taken for ssl keys. However we
have been wielding the hiera hammer pretty hard and had to stop short
of using it in place of DNS so you may not like this approach;)

HTH.

On Oct 1, 10:40 am, Aaron Grewell <aaron.grew...@gmail.com> wrote:
> We use hiera-gpg for ours. Files containing sensitive information are
> converted into templates so that only the necessary strings are included in
> gpg.  If we really needed to distribute full files I would probably build a
> separate directory tree backed by its own repository for this. It's just
> never been necessary for us.
>

[Vaidas Jablonskis]

Great stuff. I have a better idea now. Thanks for that guys.