Secrets are accessed via hiera, using hiera-eyaml. That means that the secrets files are regular YAML files, but contain ciphertext enclosed by ENC[..] where secrets are protected. The public and private keys used for this encryption are stored on the puppetmasters themselves.
To encrypt a new password, as root on a puppetmaster, give the name of the variableuse:
eyaml encrypt -e -o block pkcs7-p private-n 'root_pw_hash!loanerkey /etc/hiera/keys/private_key.pem --pkcs7-public-key /etc/hiera/keys/public_key.pem \ --output examples --password -l 'foo
then where 'foo' is the name of the variable to set. Then copy/paste the whichever result format you prefer into `/etc/hiera/secrets.eyaml` or into your own `/etc/hiera/environments/<username>_secrets.eyaml`. However this doesn't work right now - see {{bug|918070}}. Instead:
NOTE: This doesn't work right now - see {{bug|918070}}. Instead, use <tt>echo -n 'your password here' | eyaml -e -o block -n 'root_pw_hash!loaner'</tt>
To check the value of a secret, use 'hiera':
hiera -c /etc/puppet/hiera.yaml root_pw_saltedsha512
Once {{bug|918070}} is closed, you can omit the `-c`.
== User Environments ==