0

I'm storing some sensitive data using eyaml. I have the encryption part working and integrated into my Hiera setup but I'm not sure how to unencrypt from within a puppet file.

When I run the following code in puppet:

$message = hiera('test_bitbucket_repo','unknown')
notify {"Message is $message":}

I get back ENC[PKCS7,...encrypted data...], where encrypted data is a random jumble.

I've set my keys in my hiera.yaml file:

:backends:
  - eyaml
  - yaml
:hierarchy:
  - "nodes/%{::trusted.certname}"
  - common
  - keys

:yaml:
  :datadir: '/etc/puppetlabs/code/hieradata'
:eyaml:
  :datadir: '/etc/puppetlabs/code/hieradata'
  # uncomment below, if you want to use yaml extension for eyaml
  :extension: 'yaml'
  :pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem
  :pkcs7_public_key:  /etc/puppetlabs/puppet/eyaml/keys/public_key.pkcs7.pem
Philip Kirkbride
  • 249
  • 2
  • 10
  • 30
  • This suggests the `yaml` backend is returning the result, and `eyaml` isn't functioning. Reverting to the default `.eyaml` extension may confirm. Try installing hiera-eyaml in the Puppet agent environment (e.g. `/opt/puppetlabs/puppet/bin/gem install hiera-eyaml`) and add `puppet lookup --explain test_bitbucket_repo` output to your question. – Dominic Cleal May 03 '17 at 14:13
  • @DominicCleal ah, thanks. All makes sense now I had named the file with the .yaml extension instead of .eyaml. I will delete the question a bit later. – Philip Kirkbride May 03 '17 at 14:21
  • 1
    Well, it should still work with a `.yaml` extension as the order of the backends is to prefer eyaml. I think renaming the file (and removing `:extension`) would probably make the `hiera()` lookup return the default if the eyaml backend's not functional, rather than returning the encrypted value via the yaml backend. (In short, there may still be an issue.) – Dominic Cleal May 03 '17 at 14:23
  • @DominicCleal when I use eyaml extension I get the unknown value – Philip Kirkbride May 03 '17 at 14:39
  • Yes, that's what I'd expect. Use the explain command and perhaps debug logs on the Puppet Server to try and find why the eyaml backend isn't functioning. – Dominic Cleal May 03 '17 at 14:41

0 Answers0