Ask Your Question

hiera-eyaml problem: Unable to decrypt

asked 2015-06-17 02:37:38 -0600

R gravatar image

updated 2015-06-17 02:50:38 -0600

We have a enterprise puppet install,

$ puppet --version
 3.7.4 (Puppet Enterprise 3.7.2)

I have placed the following in common.eyaml on Puppet Master:

- username: user123
- password:       ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAmt6/WCf1rVOqlNFyd+F6anC+1kMtkyS9mWybD4Dc1ix3KIhEUDBObbjtGngtgLQfValurosERFPNBjDTkYBT+7REqJ97bf1iAvNvzHjGiAD5TacDOnWrc+Ve/sXpmp4qQKvVB5yjoDvHepSgRwBXP80pNVi+sm7iiLdeqXMXHFqNX/XkOwl6730WaesFkPFaoeaIq6j8S40WE5fFaalFR+BRM+pYU5vHhFburHSzKkJLF5hNZN8WPAs6P8dMxNgB5qbYYKuVaRhKY58y7Uce7S0dId8i/4kndKRuBx2FVSh4E3uSA7Zlw/M6DaJaW9JOeOU2uhiz2sCpQvN/WX2RizA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDNCqddsbJTgbuU1XiIYnMVgBCX/RRIILUeoJsbpz+NA2mG]

I encrypted the password using the public key, and the same public key and private key (to decrypt the password) is present on the puppet master.

I have the following class to decrypt the password and write the decrypted password to a file:

class read_eyaml
  file {'/var/tmp/test':
       ensure => file,
       mode => '0755',
       owner => 'root',
       group => 'users',
       content => $password,
include read_eyaml

After running

  puppet agent -t

when I cat the file, I get this

cat /var/tmp/test


Please let me know what am I missing.

Thanks in advance

edit retag flag offensive close merge delete


paste your hiera.yaml where you've configured eyaml.

ramindk gravatar imageramindk ( 2015-06-17 09:15:44 -0600 )edit

But I had pasted the common.eyaml in my question. Thanks a lot.

R gravatar imageR ( 2015-06-17 12:41:09 -0600 )edit

hiera.yaml is *not* the same as common.eyaml. common.eyaml is *your* date. hiera.yaml is the config file to describe how Puppet is supposed to use your yaml/eyaml files. I deleted your comments because it was breaking the page.

ramindk gravatar imageramindk ( 2015-06-17 18:14:34 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2015-06-17 22:06:53 -0600

R gravatar image

updated 2015-06-17 22:11:50 -0600

Thanks a lot ramindk, the issue is fixed. The root cause when we encrypt the password with the public key it gives two encrypted values first one is string: ENC[......] OR BLOCK > ENC[.......]

I was copying the one with > as soon as I copied the first one (string) it started working, Do you happen to know the difference between the two?

Thanks a lot again.

edit flag offensive delete link more


I've never managed to make the BLOCK style work myself. However I usually use eyaml edit path/to/whatever.yaml and add values directly. When you save it's takes the unencrypted value, like so DEC::PKCS7[a new value to encrypt]!

ramindk gravatar imageramindk ( 2015-06-17 22:42:37 -0600 )edit

But wont that (placing a unencrypted value in .yaml file) a security flaw? People will know the password reading the .yaml file? Thanks

R gravatar imageR ( 2015-06-17 22:57:48 -0600 )edit

You should read the documentation for the software you're using.

ramindk gravatar imageramindk ( 2015-06-17 23:16:03 -0600 )edit

Yes I used this doc to set up eyaml here, but didn't go through it fully :-). Thanks a lot for your time, much appreciated.

R gravatar imageR ( 2015-06-17 23:36:06 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2015-06-17 02:37:38 -0600

Seen: 1,138 times

Last updated: Jun 17 '15