Puppet: a way to secure certain files
91 views
Skip to first unread message
Sergey Arlashin
Nov 19, 2013, 4:03:07 PM11/19/13
to puppet...@googlegroups.com
Hi!
I'm trying to secure some data inside my puppet repository. Some passwords and private ssh keys.
I have discovered a plenty of ways to secure passwords - hiera gpg, puppet-decrypt, extlookup and so on. What about files? Is there a decent way to encrypt files, for example ssh keys?
--
Best reagards,
Sergey Arlashin
I'm trying to secure some data inside my puppet repository. Some passwords and private ssh keys.
I have discovered a plenty of ways to secure passwords - hiera gpg, puppet-decrypt, extlookup and so on. What about files? Is there a decent way to encrypt files, for example ssh keys?
--
Best reagards,
Sergey Arlashin
Rich Burroughs
Nov 20, 2013, 1:06:35 AM11/20/13
to puppet...@googlegroups.com
You can use hiera gpg for ssh keys too.
See this example:https://groups.google.com/d/msg/puppet-users/jHcuKQXT9cQ/g23Lmf4e6b8J
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/6A2CB173-BF75-4D1E-B0AB-14C3831769E3%40gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.
jcbollinger
Nov 20, 2013, 12:02:37 PM11/20/13
to puppet...@googlegroups.com
On Wednesday, November 20, 2013 12:06:35 AM UTC-6, Rich Burroughs wrote:
You can use hiera gpg for ssh keys too.See this example:
https://groups.google.com/d/msg/puppet-users/jHcuKQXT9cQ/g23Lmf4e6b8J
But you would be unwise to do that in conjunction with Puppet 3, unless you fall into one of a small number of special cases. If you add the hiera-gpg back end to your hiera configuration then the encrypted file will be decrypted once for each class parameter that is neither explicitly assigned a value nor resolved in a higher-priority back end. Decrypting the file is very expensive, and if you do it many times then you will see a very noticeable impact on catalog compilation performance. There have been reports on this group of such decryption adding several minutes of compilation time for catalogs that otherwise take a few seconds.
That decryption overhead will not affect you if you use few (or no) parameterized classes (watch out for third-party modules!), if you take care to assign values to all class parameters of every declared class (again, beware third party modules here), or if you are using Puppet 2 rather than Puppet 3.
You should consider whether it really makes sense to encrypt at all, vs. simply securing the master against unauthorized users. If you encrypt then you must record the plaintext decryption key somewhere that the master can read it, and if you hypothesize an assailant that is savvy enough to track down sensitive information in your Puppet configs then you should assume that that assailant can also find the decryption key. In fact, such an assailant must also break your access controls to reach the sensitive information, meaning that they must have gained root access to your server before encryption is even a factor. If an assailant gains root then it's already game over.
John
Sergey Arlashin
Nov 21, 2013, 7:03:39 AM11/21/13
to puppet...@googlegroups.com
Thank you!
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/59d9ed61-8fb3-4b51-bf1d-5d96feab83d8%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages