Confirmed users
213
edits
ReleaseEngineering/PuppetAgain/Secrets: Difference between revisions
Jump to navigation
Jump to search
ReleaseEngineering/PuppetAgain/Secrets (view source)
Revision as of 09:20, 4 October 2016
, 4 October 2016→Using EYAML: Add subsections to highlight strings vs files
(add prompt info about hiera password encrypting) |
(→Using EYAML: Add subsections to highlight strings vs files) |
||
| Line 30: | Line 30: | ||
Secrets are accessed via hiera, using hiera-eyaml. That means that the secrets files are regular YAML files, but contain ciphertext enclosed by ENC[..] where secrets are protected. The public and private keys used for this encryption are stored on the puppetmasters themselves. | Secrets are accessed via hiera, using hiera-eyaml. That means that the secrets files are regular YAML files, but contain ciphertext enclosed by ENC[..] where secrets are protected. The public and private keys used for this encryption are stored on the puppetmasters themselves. | ||
=== Encrypt strings (like passwords) === | |||
As root on any puppetmaster, use: | |||
eyaml encrypt --pkcs7-private-key /etc/hiera/keys/private_key.pem --pkcs7-public-key /etc/hiera/keys/public_key.pem \ | eyaml encrypt --pkcs7-private-key /etc/hiera/keys/private_key.pem --pkcs7-public-key /etc/hiera/keys/public_key.pem \ | ||
| Line 39: | Line 41: | ||
python -c "import yaml; f=open('secrets.eyaml','r'); yaml.load(f)" && echo "pass" || echo "FAIL" | python -c "import yaml; f=open('secrets.eyaml','r'); yaml.load(f)" && echo "pass" || echo "FAIL" | ||
=== Encrypt files (e.g. private keys) === | |||
Pipe the contents of the file to the above command, and replace --password with --stdin, e.g. | |||
cat secret_file | eyaml encrypt --pkcs7-private-key /etc/hiera/keys/private_key.pem --pkcs7-public-key /etc/hiera/keys/public_key.pem \ | cat secret_file | eyaml encrypt --pkcs7-private-key /etc/hiera/keys/private_key.pem --pkcs7-public-key /etc/hiera/keys/public_key.pem \ | ||