diff --git a/admin-guide/puppet/hiera.md b/admin-guide/puppet/hiera.md index d27df42c..9bed08e6 100644 --- a/admin-guide/puppet/hiera.md +++ b/admin-guide/puppet/hiera.md @@ -53,7 +53,7 @@ ntp_client::servers: - pstime2.psi.ch - pstime3.psi.ch -secret_key: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAY/9V1S0VAMrRX1B4V06AgsbHPHdONFCQ4RiWfTrhV02rL5gSL4LAdqOuvGPY8YZZv8Mp06/FARlvP1aOfEx7avqSBy11IoUGkeajKZFzJV3OJsfhso4wroQ4JmfBaVKICnQZwCdpke+PHPRkwTgHcjmY2FeBnhvOlrGiQMQU3JzCjLePOa7UvlIIin3xOU/TdetzhfvoNGRhsz7+XRPD+mTT8efJ+OslJmqU7hEqMbs9CmhPJWqsjsQUp8jsM10Dk2Rv4v+zYeJd1ZLRGK3Z56G4NrlLyYua+/yyPbUP4+1bEuisDg9bfQHp3R491/kN0W558oQ+85rsRVXCp1Hb6TBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBB2x9awGQnxAJsxIHA9OiM2gCBFvgxIR4SJZPrrQ/UlhKU39yYSkEmuKE/ou+yeIe5AMA==] +secret_key: ENC[PKCS7,MIIBiQYJKoZIhvcNA...AMA==] ``` The encrypted values can be decrypted transparently from Hiera (on a host having the proper hiera key): @@ -66,41 +66,19 @@ You can edit secure data inside any yaml file with the command `/opt/puppetlabs/ ### Encrypt Data -To encrypting data you have to use following public key: -``` ------BEGIN CERTIFICATE----- -MIIC2TCCAcGgAwIBAgIBATANBgkqhkiG9w0BAQUFADAAMCAXDTE2MTAyNDE0NTY1 -N1oYDzIwNjYxMDEyMTQ1NjU3WjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA2eykSgS7VJEXrWYkQMV48ZkUVcHMbCEo2gZXD4vIJsOdJu77F7tA53Ay -NxdKnJTftsj+R7yFP9Z2XllA9Our0Ypphj40rNstRg5O4IoSkAqitJchlfGL9jZ3 -CB4dJqFitzOkxxCWZjQpjBd3dMJc6U3us6IDWohCjYqyjMZIVwU5EflzJKV4haEy -Y9qHkVt938RM9UohEvia5/1lZxuZQmDpYqCw9gmBK/dVKZ7abZGkujTKAg5cjD/X -vuexLMCGrjnPdrsblwBh+yfu6cEo9nfvfj6EA0FxPHIvQ3fv1yJZ+90OA9eUJnqQ -ED66OGPATAJIqhWlgb8a760xPQFQQQIDAQABo1wwWjAPBgNVHRMBAf8EBTADAQH/ -MB0GA1UdDgQWBBSF05r9TYDiAmkdguCVcDzmYR8Q6TAoBgNVHSMEITAfgBSF05r9 -TYDiAmkdguCVcDzmYR8Q6aEEpAIwAIIBATANBgkqhkiG9w0BAQUFAAOCAQEAWAER -CTGsOFUkCfvqke75PmIkxKBp/2eJbavWzPkbA/mwAGS4lQc5oyS8FMkUFxATo1k/ -WIb2B3WJIMHfCzMNxTlQLjJiSyvWAlEBHDW4H2XekzKSbj96l+/nirmOq3QkEKTK -omexF5zYSPkBVA/S2m2wae3g2kubH1p42+REKQUvt1+xaecHBYD6eXzBWChnMMnq -FbXoayTibn0p9Roo8HClGGJpjPZUTMf+VGUqKWPfvaKl48Y0yrc/4BzZT6Sbzeou -ZSiHwa62rTV7ia7m2SILZU5b65JUVkFH/2r6qkxCr0Ep+oaxSNXtAXLCbnXmdOeK -B40J8ePbbmmGE24+zQ== ------END CERTIFICATE----- -``` +To encrypting data you have to use the public key from your Hiera (`data-*`) git repository named `eyaml_public_key.pem` -On the puppet server this key can be found at `/etc/puppetlabs/keys/eyaml/public_key.pkcs7.pem`. +For the lower layers (global, server or data) it is on the Puppet server at [`/etc/puppetlabs/keys/eyaml/public_key.pkcs7.pem`](https://git.psi.ch/linux-infra/bootstrap/-/blob/prod/instcode/puppet/puppet_server/files/crypto/public_key.pkcs7.pem). Beside this key you also need to have `hiera-eyaml` tool installed on your system. -Assuming the public key is saved in a file (e.g. ``~/eyaml_key.pub``), that the file path has been put into the environment varialbe ``EYAML_PUB_KEY``, then a string can be encripted with:: - ```bash -eyaml encrypt --pkcs7-public-key=$EYAML_PUB_KEY -s secret_string +eyaml encrypt --pkcs7-public-key=eyaml_public_key.pem -s secret_string ``` While a complete file can be encrypted with: ```bash -eyaml encrypt --pkcs7-public-key=$EYAML_PUB_KEY -f secret_file +eyaml encrypt --pkcs7-public-key=eyaml_public_key.pem -f secret_file ``` #### Example @@ -108,7 +86,7 @@ eyaml encrypt --pkcs7-public-key=$EYAML_PUB_KEY -f secret_file To encrypting password for a system you can go about like this: ```bash -# openssl passwd -6 | eyaml encrypt --pkcs7-public-key=$EYAML_PUB_KEY --stdin +# openssl passwd -6 | eyaml encrypt --pkcs7-public-key=eyaml_public_key.pem --stdin Password: Verifying - Password: string: ENC[PKCS7,MIIBxxxxxxxx...xxxxxxxx] @@ -124,11 +102,7 @@ block: > # ``` -Alternatively if you already have docker installed you can use our container to encrypt a string -```bash -# docker run -it container.psi.ch/docker/containers/eyaml-docker eyaml encrypt --pkcs7-public-key=/cert.pub -s {DataStringToEncrypt} -``` and place either the string or the block at the required place in your Hiera YAML.