For every Puppet Enterprise customer it is a security requirement to not include sensitive data within your puppet manifest files or within your hiera yaml files with your parameters for your puppet classes. And this is even more important if you manage your puppet code and yaml files with a code management software (ex. git, svn) and using Puppet Enterprise Code Manager to deploy your code. Nobody with maybe read access to your puppet code and yaml files or your Puppet Enterprise console should be able to read sensitive informations like passwords, ssh keys etc in clear plain text.
It is a good start to use the eyaml hiera extension https://github.com/TomPoulton/hiera-eyaml that provides per-value encryption of sensitive data within yaml files to be used by puppet. You can easily install and configure it within your Puppet Enterprise environment by using the approved puppet module https://forge.puppetlabs.com/hunner/hiera. A complete description about how to install and using eyaml with hiera using this module is available here: https://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml.
But there is one security requirement missing here. If you use eyaml with hiera the puppet master will decrypt the parameter and put them inside the puppet catalog in plain text. So within the reports send back from Puppet Agent to the master after a puppet run you will see the sensitive information in plain text. If you change something for example inside a file you will see changes as diff within your report. Sure, there is the option to bypass diff reporting by setting the show_diff metaparameter to false for the sensitive resource. But you should not forget to specify it, otherwise it will be within your reports.
Thankfully there is now a module available that will encrypt the sensitive data for each node specifically, using their own certificates. This means that not only do you not have plain text secrets, but each node can decrypt only its own secrets. The module is available on our Puppet Labs Forge https://forge.puppetlabs.com/binford2k/node_encrypt. In combination with eyaml this is the perfect solution to encrypt the sensitive data within your yaml files and also within your puppet catalog.
Let me describe you the benefit of this solution with a simple example.
I did create a module (encrypt) that will create for different files:
- A file with a parameter filled by hiera as plain text value and using default puppet file resource (/tmp/plain_with_file).
- A file with a parameter filled by eyaml hiera as encrypted value and using default puppet file resource (/tmp/eyaml_with_file).
- A file with a parameter filled by hiera as plain text value and using the node_encrypt::file defined resource (/tmp/plain_with_nodeencrypt_file).
- A file with a parameter filled by eyaml hiera as encrypted value and using the node_encrypt::file defined resource (/tmp/eyaml_with_nodeencrypt_file).
The init.pp manifest file of the encrypt module looks like this:
class encrypt ( $content_plain_with_file = 'input with plain text from hiera', $content_eyaml_with_file = 'encrypted input from eyaml hiera', $content_plain_with_nodeencrypt_file = 'input with plain text from hiera', $content_eyaml_with_nodeencrypt_file = 'encrypted input from eyaml hiera', ) { file { '/tmp/plain_with_file': owner => 'root', group => 'root', content => $content_plain_with_file, } file { '/tmp/eyaml_with_file': owner => 'root', group => 'root', content => $content_eyaml_with_file, } node_encrypt::file { '/tmp/plain_with_nodeencrypt_file': owner => 'root', group => 'root', content => $content_plain_with_nodeencrypt_file, } node_encrypt::file { '/tmp/eyaml_with_nodeencrypt_file': owner => 'root', group => 'root', content => $content_eyaml_with_nodeencrypt_file, } }
I did install and configure eyaml with the hunner-hiera module available on Puppet Labs Forge https://forge.puppetlabs.com/hunner/hiera by using the parameter eyaml_extension configured with yaml, to be able to use yaml files with eyaml. I used the eyaml command to encrypt the example string “super secret content“.
Within a yaml file for my test node i specified the parameters content_plain_with_file, content_plain_with_nodeencrypt_file, content_eyaml_with_file and content_eyaml_with_nodeencrypt_file for my module encrypt:
—
encrypt::content_plain_with_file: “super secret content”
encrypt::content_plain_with_nodeencrypt_file: “super secret content”
encrypt::content_eyaml_with_file: >
ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEw
DQYJKoZIhvcNAQEBBQAEggEAnHc7R14Su04BHXB82L07sX5PhLBh2YnSXVYU
5bdeszNK0hcOv840uc9iwF1IlLUIp9X9dm8RvBUeui21//TVpR+rutWNQ6KD
3R31r7n4c9hC+z78MAAq7ZMWE68YYDnc9DgvWfN41rS46wh7iULMcHM+HUce
0lM+Z/nPbiSEHcTCpklKllfT5/QzOFqNTi8n9F1aweJHdQUByVwDWQIPp0uU
pioxVVtQITH03Z2AlEmAI2ytt69Mg/ndF4viOWQkNSoDwKdQcn+hyYv9Y7sY
uStqSH8EtspbGbd+wEYwKLXWyx7f4Ai75u50ofgMATyr3pR+tyCSGEDHKDng
YyDRZzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBD1ZdEUboxcNJyPNp3G
X85cgCB8UPP7kX2eBUrLRtarf20wXqPyxzEYKEtLE4oBtrxVGg==]
encrypt::content_eyaml_with_nodeencrypt_file: >
ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEw
DQYJKoZIhvcNAQEBBQAEggEAnHc7R14Su04BHXB82L07sX5PhLBh2YnSXVYU
5bdeszNK0hcOv840uc9iwF1IlLUIp9X9dm8RvBUeui21//TVpR+rutWNQ6KD
3R31r7n4c9hC+z78MAAq7ZMWE68YYDnc9DgvWfN41rS46wh7iULMcHM+HUce
0lM+Z/nPbiSEHcTCpklKllfT5/QzOFqNTi8n9F1aweJHdQUByVwDWQIPp0uU
pioxVVtQITH03Z2AlEmAI2ytt69Mg/ndF4viOWQkNSoDwKdQcn+hyYv9Y7sY
uStqSH8EtspbGbd+wEYwKLXWyx7f4Ai75u50ofgMATyr3pR+tyCSGEDHKDng
YyDRZzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBD1ZdEUboxcNJyPNp3G
X85cgCB8UPP7kX2eBUrLRtarf20wXqPyxzEYKEtLE4oBtrxVGg==]
I used the Puppet Enterprise Node Classifier to classify my test node with the encrypt class by creating a new Encrypt group that is classified with the class encrypt:
To trigger a configuration drift for the four files of the class encrypt i specified default content (‘To override’) for all files to see the output of a diff on the agent and within the reports of the agent run. I logged in to the test client (centos6a) and triggered a puppet agent run (puppet agent -t) on my test node to check the output for each file change during the puppet run:
After the run i did also check the report within the Puppet Enterprise Console for this node. Here is the output for the files /tmp/eyaml_with_file and /tmp/plain_with_file within that report:
And here is the output inside the report of the files /tmp/eyaml_with_nodeencrypt_file and /tmp/plain_with_nodeencrypt_file within that report:
I did also check the output within the log section of the report for additional messages:
As you can see, the output of file resource is always in plain text, even if you use eyaml to specify the parameter of the class encrypted. But the node_encrypt::file defined resources is always using the outpu <<encrypted>> and you can’t see the sensitive content of the files within the Puppet Enterprise Console report. So the combination of eyaml hiera and the node_encrypt::file resource is the perfect solution to fulfil your security requirements.
The content of all files is plain text ‘super secret content’. If you plan to encrypt the content of the file as well, if the service or command using the file supports encrypted passwords as example, you can use eyaml to encrypt your already encrypted data and use the node_encrypt::file resource to encrypt it also inside the catalog. So you are double encrypted and highly secure.
Please note, this was only an example of using the file resource with the new node_encrypt module. There is also the possibility to use it with exec commands and using a function node_encrypt() within your puppet code.
Thanks a lot to Ben Ford, Tom Poulton and Hunter Haugen and everyone i did forget for providing all the necessary components that enables this perfect solution.
