Ask Your Question

Securely storing passwords and keys?

asked 2013-02-21 07:04:58 -0500

I'd like to use Puppet to distribute ssh keys for privileged users, and passwords for a number of configuration files that require them (i.e. database credentials, to be put in templated config files). We're currently using Puppet Enterprise 2.5, and open source 2.7 on some test clients. My main requirements are:

  1. this information should be versioned in git
  2. It should be separate from our modules and manifests, so that modules/manifests can be seen by people without access to the secrets (effectively limited to those with root on the puppet master).
  3. Distribution should be secure ...
edit retag flag offensive close merge delete


Good question! I'm really wondering how other people manage this, too!

Maxim gravatar imageMaxim ( 2013-02-22 04:00:37 -0500 )edit

3 answers

Sort by ยป oldest newest most voted

answered 2013-02-26 13:39:13 -0500

Ancillas gravatar image

updated 2013-02-26 13:48:13 -0500

You should be using Hiera with hiera-gpg.

Puppet 3.0 automatically searches hiera backends for class parameters, and will be the way of the future.

In Puppet Enterprise, since the daemons run as pe-puppet, the access rights for the public and private keys need to allow for pe-puppet to access them.

Here's the info on the Data Bindings in Puppet 3.0

Here's the defacto hiera-gpg guide.

edit flag offensive delete link more


I'd post links, but my karma isn't high enough yet.

Ancillas gravatar imageAncillas ( 2013-02-26 13:39:31 -0500 )edit

Actually we'd strongly prefer *not* to use Hiera, as we have a homegrown ENC that fits our needs. Honestly I wish there was a way to turn off the ...(more)

jantman gravatar imagejantman ( 2013-10-09 06:22:17 -0500 )edit

answered 2013-02-25 19:39:35 -0500

eric0 gravatar image

One pattern I've used successfully is to add a separate fileserver.conf mount for the sensitive data:

## fileserver.conf

Then use the puppetmaster fileserver to download these files:

## (more) secure file resource
class apache::htpasswd {
  file { '/etc/httpd/conf.d/htpasswd':
    ensure => present,
    source => 'puppet:///data/apache/htpasswd',
    owner  => 'apache',
    mode   => 0600

For sanity's sake, the structure of the directories in the /data area should reflect your module naming scheme. The default (in Puppet 3.1.0) auth.conf file should work for this scheme but doesn't provide additional protection beyond requiring ... (more)

edit flag offensive delete link more


I used to use a very similar pattern, but I was never able to get my sensitive data into a VCS.

Ancillas gravatar imageAncillas ( 2013-02-26 13:49:19 -0500 )edit

answered 2013-10-07 14:41:22 -0500

Stefan gravatar image

There also is another interesting hiera plugin called hiera-eyaml. With this one you are not encrypting whole yaml files but just the values, e.g. you can easily see which keys are defined in your eyaml files without beeing able to decrypt the values. Only the puppetmaster is able to decrypt the values with its private key and everyone with the corresponding public key can put new new encrypted values in the eyaml file.

edit flag offensive delete link more


I've been looking at that. Much better approach, in my opinion.

Ancillas gravatar imageAncillas ( 2013-10-07 14:58:41 -0500 )edit

It's working great for us as well.

salientdigital gravatar imagesalientdigital ( 2014-09-17 17:49:30 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2013-02-21 07:04:58 -0500

Seen: 6,769 times

Last updated: Oct 07 '13