document new location of public key

admin-guide/puppet/hiera.md

@@ -53,7 +53,7 @@ ntp_client::servers:
   - pstime2.psi.ch
   - pstime3.psi.ch
 
-secret_key: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAY/9V1S0VAMrRX1B4V06AgsbHPHdONFCQ4RiWfTrhV02rL5gSL4LAdqOuvGPY8YZZv8Mp06/FARlvP1aOfEx7avqSBy11IoUGkeajKZFzJV3OJsfhso4wroQ4JmfBaVKICnQZwCdpke+PHPRkwTgHcjmY2FeBnhvOlrGiQMQU3JzCjLePOa7UvlIIin3xOU/TdetzhfvoNGRhsz7+XRPD+mTT8efJ+OslJmqU7hEqMbs9CmhPJWqsjsQUp8jsM10Dk2Rv4v+zYeJd1ZLRGK3Z56G4NrlLyYua+/yyPbUP4+1bEuisDg9bfQHp3R491/kN0W558oQ+85rsRVXCp1Hb6TBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB2x9awGQnxAJsxIHA9OiM2gCBFvgxIR4SJZPrrQ/UlhKU39yYSkEmuKE/ou+yeIe5AMA==]
+secret_key: ENC[PKCS7,MIIBiQYJKoZIhvcNA...AMA==]
 ```
 
 The encrypted values can be decrypted transparently from Hiera (on a host having the proper hiera key):
@@ -66,41 +66,19 @@ You can edit secure data inside any yaml file with the command `/opt/puppetlabs/
 
 
 ### Encrypt Data
-To encrypting data you have to use following public key:
-```
------BEGIN CERTIFICATE-----
-MIIC2TCCAcGgAwIBAgIBATANBgkqhkiG9w0BAQUFADAAMCAXDTE2MTAyNDE0NTY1
-N1oYDzIwNjYxMDEyMTQ1NjU3WjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA2eykSgS7VJEXrWYkQMV48ZkUVcHMbCEo2gZXD4vIJsOdJu77F7tA53Ay
-NxdKnJTftsj+R7yFP9Z2XllA9Our0Ypphj40rNstRg5O4IoSkAqitJchlfGL9jZ3
-CB4dJqFitzOkxxCWZjQpjBd3dMJc6U3us6IDWohCjYqyjMZIVwU5EflzJKV4haEy
-Y9qHkVt938RM9UohEvia5/1lZxuZQmDpYqCw9gmBK/dVKZ7abZGkujTKAg5cjD/X
-vuexLMCGrjnPdrsblwBh+yfu6cEo9nfvfj6EA0FxPHIvQ3fv1yJZ+90OA9eUJnqQ
-ED66OGPATAJIqhWlgb8a760xPQFQQQIDAQABo1wwWjAPBgNVHRMBAf8EBTADAQH/
-MB0GA1UdDgQWBBSF05r9TYDiAmkdguCVcDzmYR8Q6TAoBgNVHSMEITAfgBSF05r9
-TYDiAmkdguCVcDzmYR8Q6aEEpAIwAIIBATANBgkqhkiG9w0BAQUFAAOCAQEAWAER
-CTGsOFUkCfvqke75PmIkxKBp/2eJbavWzPkbA/mwAGS4lQc5oyS8FMkUFxATo1k/
-WIb2B3WJIMHfCzMNxTlQLjJiSyvWAlEBHDW4H2XekzKSbj96l+/nirmOq3QkEKTK
-omexF5zYSPkBVA/S2m2wae3g2kubH1p42+REKQUvt1+xaecHBYD6eXzBWChnMMnq
-FbXoayTibn0p9Roo8HClGGJpjPZUTMf+VGUqKWPfvaKl48Y0yrc/4BzZT6Sbzeou
-ZSiHwa62rTV7ia7m2SILZU5b65JUVkFH/2r6qkxCr0Ep+oaxSNXtAXLCbnXmdOeK
-B40J8ePbbmmGE24+zQ==
------END CERTIFICATE-----
-```
+To encrypting data you have to use the public key from your Hiera (`data-*`) git repository named `eyaml_public_key.pem`
 
-On the puppet server this key can be found at `/etc/puppetlabs/keys/eyaml/public_key.pkcs7.pem`.
+For the lower layers (global, server or data) it is on the Puppet server at [`/etc/puppetlabs/keys/eyaml/public_key.pkcs7.pem`](https://git.psi.ch/linux-infra/bootstrap/-/blob/prod/instcode/puppet/puppet_server/files/crypto/public_key.pkcs7.pem).
 
 Beside this key you also need to have `hiera-eyaml` tool installed on your system.
 
-Assuming the public key is saved in a file (e.g. ``~/eyaml_key.pub``), that the file path has been put into the environment varialbe ``EYAML_PUB_KEY``, then a string can be encripted with::
-
 ```bash
-eyaml encrypt --pkcs7-public-key=$EYAML_PUB_KEY -s secret_string
+eyaml encrypt --pkcs7-public-key=eyaml_public_key.pem -s secret_string
 ```
 
 While a complete file can be encrypted with:
 ```bash
-eyaml encrypt --pkcs7-public-key=$EYAML_PUB_KEY -f secret_file
+eyaml encrypt --pkcs7-public-key=eyaml_public_key.pem -f secret_file
 ```
 
 #### Example
@@ -108,7 +86,7 @@ eyaml encrypt --pkcs7-public-key=$EYAML_PUB_KEY -f secret_file
 To encrypting password for a system you can go about like this:
 
 ```bash
-# openssl passwd -6 | eyaml encrypt --pkcs7-public-key=$EYAML_PUB_KEY --stdin
+# openssl passwd -6 | eyaml encrypt --pkcs7-public-key=eyaml_public_key.pem --stdin
 Password: 
 Verifying - Password: 
 string: ENC[PKCS7,MIIBxxxxxxxx...xxxxxxxx]
@@ -124,11 +102,7 @@ block: >
 #
 ```
 
-Alternatively if you already have docker installed you can use our container to encrypt a string 
 
-```bash
-# docker run -it container.psi.ch/docker/containers/eyaml-docker eyaml encrypt --pkcs7-public-key=/cert.pub -s {DataStringToEncrypt}
-```
 
 and place either the string or the block at the required place in your Hiera YAML.