These days, it’s generally accepted that we should all be using code repositories to store and manage our code, but there have been several cases recently where passwords or other sensitive data have been exposed either due to security issues with the repository hosting, repositories being accidentally switched from private to public or even showing pieces of codes in presentations.

If you’re using Puppet or other orchestration tools to manage server and application deployment, then hopefully you’re using some kind of repository to maintain your configuration (and if not, why not?) but this means there’s the risk of exposing passwords to people who shouldn’t see them. So how can we protect this sensitive information?

There are a couple of solutions available – for example, you can use GPG to encrypt the entire yaml files used to hold the hiera data. Alternatively, I’d suggest you look at using eyaml and especially hiera-eyaml, a solution created by Tom Poulton.

With hiera-eyaml installed, instead of a yaml file that might look like

you’d see something like:

In the second case, the value has been encrypted using eyaml before pasting it into the yaml file. When puppet runs, it will be decrypted and the appropriate value passed to the puppet module.

Installing and configuring Eyaml

The simplest way to install eyaml is to run the command sudo gem install hiera-eyaml . This uses the Ruby package manager which should have been installed by default as a dependency for the Puppet server. I use Centos and currently that will install the binaries to /usr/local/bin.

With eyaml installed, we should now generate a set of keys to use for encrypting/decrypting data. This is done with the command sudo eyaml createkeys  – the output from the command will identify where the keys have been installed. We should ensure that the files generated have appropriate permissions – this generally means that they are owned (or at least readable) by the puppet user.

Finally, we should configure eyaml so that it is aware of the location of the generated keys. eyaml has a global configuration file at /etc/eyaml/config.yaml and an example file is shown below:

Of course, the file locations shown should be replaced with the values generated in the eyaml createkeys  command.

Configuring Puppet to use Eyaml


With eyaml installed and configured, we need to tell Puppet how to use the new utility. The configuration file used to control how Puppet uses hiera data is typically found at  /etc/puppet/hiera.yaml . This should be configured to something similar to :


The lines in red show the eyaml specific configuration.

Generating encrypted values for hiera.


To encrypt a value to place in the hiera files, use the command eyaml encrypt s 'some value' . This will generate two versions of the encrypted string, one which can be placed on a single line and one to be placed as a text block: