Using eyaml to secure Puppet & Hiera data.
These days, we generally accept that we should all be using code repositories to store and manage our code, but there have been several cases recently where passwords or other sensitive data have been exposed either due to security issues with the repository hosting, repositories being accidentally switched from private to public or even showing pieces of codes in presentations.
If you're using Puppet or other orchestration tools to manage configuration, then you should use a repository to maintain your code (and if not, why not?). This does mean there's the risk of exposing passwords to people who shouldn't see them. So how can we protect this sensitive information?
There are a couple of solutions available - you could use GPG to encrypt the entire YAML files used to hold the hiera data. Alternatively, I'd suggest you look at using eyaml and especially hiera-eyaml, a solution created by Tom Poulton.
With hiera-eyaml installed, instead of a YAML file that might look like
1---
2classes:
3 - base::os
4 - apache
5
6base::os::root_pw: 'please hack me'
you'd see something like:
1---
2classes:
3 - base::os
4InstallOn
5 - apache
6
7base::os::root_pw: >
8 ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEw
9 DQYJKoZIhvcNAQEBBQAEggEAQ/bbM1cC2sxR68NgzC4b9vFksjAvy3uOPBr2
10 hkHBUYBBJP3ySaX//DDSV/EwzJyp+jBDN+M4+QbFhhSUKgyp3Zc1LnvxYvyG
11 Lsi+l+az9YKnu71thg2JeZOGt8LKxA+JrqRV0eKoAvn/K9fidVFm8kdZviX3
12 UziYfTD8OElCLlZBAV4J4V9kRzR+ldVwYeRkzGylA3YbuRkZB58pG+E/fIOs
13 fBAEKZpBG0piTCOYChCMXi1YNmiYd/krcXvXJ0SVhXEr4figbyKeBvBSYd0s
14 9uroZOpogAzNw3gKV3Z0oXZ9Rjmf0aVNYB7bh2s6xJFZrofO64F3qipuo9FG
15 LnxKvzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDYte7iyh5jzCP2UvVb
16 LHtlgCCJvp24Qbe0VS8VSBmOyFy9brBB0bm/CuKzVirow1nrsQ==]
Here, the value has been encrypted using eyaml before pasting it into the YAML file. When Puppet runs, it is decrypted, and the appropriate value passed to the puppet module.
Installing and configuring Eyaml
The simplest way to install eyaml is to run the command sudo gem install hiera-eyaml
. I use Centos, and currently, that will install the binaries to /usr/local/bin.
With eyaml installed, we can generate a set of keys to use for encrypting/decrypting data with the command sudo eyaml createkeys
- the output from the command will identify where the keys are stored. We should ensure that the files generated have appropriate permissions - this generally means that they are owned (or at least readable) by the puppet user.
Finally, we should configure eyaml so that it is aware of the location of the generated keys. eyaml has a global configuration file at /etc/eyaml/config.yaml and an example file is shown below:
1---
2pkcs7_private_key: '/etc/puppet/secure/keys/private_key.pkcs7.pem'
3pkcs7_public_key: '/etc/puppet/secure/keys/public_key.pkcs7.pem'
Of course, you need to ensure the paths match those generated in the eyaml createkeys
command.
Configuring Puppet to use Eyaml
With eyaml installed and configured, we need to tell Puppet how to use the new utility. The configuration file used to control how Puppet uses hiera data is typically found at /etc/puppet/hiera.yaml
. This file should be similar to:
1---
2:backends:
3 - eyaml
4 - yaml
5:hierarchy:
6 - defaults
7 - "%{::clientcert}"
8 - "%{::environment}"
9 - global
10
11:yaml:
12 :datadir: /var/lib/hiera
13
14:eyaml:
15 :datadir: /var/lib/hiera
16 :extension: 'yaml'
17 :pkcs7_private_key: '/etc/puppet/eyaml-keys/private.pkcs7.pem'
18 :pkcs7_public_key: '/etc/puppet/eyaml-keys/public.pkcs7.pem'
The highlighted lines show the eyaml specific configuration.
Generating encrypted values for hiera.
To encrypt a value to place in the hiera files, use the command eyaml encrypt –s '_some value_'
. This will generate two versions of the encrypted string, one to use as a single line, and one to be placed as a text block:
1# eyaml encrypt -s 'some value'
2[hiera-eyaml-core] Loaded config from /etc/eyaml/config.yaml
3string: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEABXKTpSM38fm1aNlww6cfQ5VlBvMQWBLt0nNO/qoscrpMZ/z6EfPhaH2zOsZiCXNGsg8LFqJVYjfBVhy5Z/jE6q79dU9s4Z84YZioQZkqH4s4TFYLSDuN79HY8bV0cuv7eeajkE66GDzOzyugyCHYhX14WriksCHzf3mCU/cs4c4tqJErddGL7dnRHtz5Air+Fpxb9VubFsZ+ghdcynTA4AygYNP2xJvGsU1qr7s8cDwPeLykjZcbOdhASkbVuwsIuFmHKLok+mdm5yIAj66JTG3ilTY5LA3v4TR1HSA92bqii5TOFNC9d74sBCCryJaseeG6kZBwXQtrDrxpwnwyazA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCaaWOzZRGf/CD8WieF/wxogBA2fVtepXxuRigGxu3BYHEe]
4
5OR
6
7block: >
8 ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
9 DQYJKoZIhvcNAQEBBQAEggEABXKTpSM38fm1aNlww6cfQ5VlBvMQWBLt0nNO
10 /qoscrpMZ/z6EfPhaH2zOsZiCXNGsg8LFqJVYjfBVhy5Z/jE6q79dU9s4Z84
11 YZioQZkqH4s4TFYLSDuN79HY8bV0cuv7eeajkE66GDzOzyugyCHYhX14Wrik
12 sCHzf3mCU/cs4c4tqJErddGL7dnRHtz5Air+Fpxb9VubFsZ+ghdcynTA4Ayg
13 YNP2xJvGsU1qr7s8cDwPeLykjZcbOdhASkbVuwsIuFmHKLok+mdm5yIAj66J
14 TG3ilTY5LA3v4TR1HSA92bqii5TOFNC9d74sBCCryJaseeG6kZBwXQtrDrxp
15 wnwyazA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCaaWOzZRGf/CD8WieF
16 /wxogBA2fVtepXxuRigGxu3BYHEe]
17