On Wednesday, November 20, 2013 12:06:35 AM UTC-6, Rich Burroughs wrote: > > You can use hiera gpg for ssh keys too. > > See this example: > > https://groups.google.com/d/msg/puppet-users/jHcuKQXT9cQ/g23Lmf4e6b8J > > >
But you would be unwise to do that in conjunction with Puppet 3, unless you fall into one of a small number of special cases. If you add the hiera-gpg back end to your hiera configuration then the encrypted file will be decrypted once for each class parameter that is neither explicitly assigned a value nor resolved in a higher-priority back end. Decrypting the file is very expensive, and if you do it many times then you will see a very noticeable impact on catalog compilation performance. There have been reports on this group of such decryption adding several minutes of compilation time for catalogs that otherwise take a few seconds. That decryption overhead will not affect you if you use few (or no) parameterized classes (watch out for third-party modules!), if you take care to assign values to all class parameters of every declared class (again, beware third party modules here), or if you are using Puppet 2 rather than Puppet 3. You should consider whether it really makes sense to encrypt at all, vs. simply securing the master against unauthorized users. If you encrypt then you must record the plaintext decryption key somewhere that the master can read it, and if you hypothesize an assailant that is savvy enough to track down sensitive information in your Puppet configs then you should assume that that assailant can also find the decryption key. In fact, such an assailant must also break your access controls to reach the sensitive information, meaning that they must have gained root access to your server before encryption is even a factor. If an assailant gains root then it's already game over. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/59d9ed61-8fb3-4b51-bf1d-5d96feab83d8%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
