| For users that do not use a separate secrets server (yet) but want to improve the security of their puppet installation it is of value to provide the ability to encrypt data so it can only be read by the node the catalog is compiled for. The pattern is to call encrypt when compiling a catalog, and to call decrypt using a Deferred. Example usage:
some_class(Sensitive $password) { |
some_resource { 'example': |
password => Deferred('decrypt', encrypt($password)) |
} |
}
|
It may be of value to let encrypt always return a Sensitive to relieve the user of having to always wrap the result (if the source value is not already Sensitive). The encrypt should encrypt based on the certificate of the node for which the compilation is running. The decrypt is always for the localhost that is applying the catalog. Thus, it is not possible to decrypt a value that is encrypted for the agent node while compiling. (If that is a valid use case, the decrypt needs to take an argument indicating if it is for the node or for localhost. The two functions should work on any rich data type to enable sending encrypted rich data (hash, array, a sensitive value, etc). |
