In some puppet workflows, EYAML GPG Encryption is used to encrypt/decrypt secrets in yaml files (hiera data). There where two solutions to manage it
- hiera-gpg (already deprecated )
- hiera-eyaml - backend for Hiera that provides per-value asymmetric encryption of sensitive data
Using hiera-eyaml day to day I wanted to gather some common issues and solutions that you can find with this tool.
I assume your setup is already in place and all requirements are met:
- configuration should be stored in a version control system
- sensitive data is stored and transmitted securely
- only puppet master is able to decrypt data
- anybody should be able to encrypt data
Adding a new collabolator to the flow will force to recrypt everything.
Problem 1
Trying to recrypt secret yaml file
─╼ eyaml recrypt -n gpg hieradata/secrets.yaml
[hiera-eyaml-core] Encryption is only supported when using the 'gpgme' gem
...
Solution is quite simple and only thing to do is to add gpgme
rather than use ruby_gpg
Problem 2
─╼ eyaml recrypt -n gpg hieradata/secrets.yaml
[hiera-eyaml-core] Key 02EF052A (test@example.com) not trusted (if key trust is established by another means then specify always-trust)
Solution also quite straightforward: either you need to sign the key or if you dont want to do it just add --gpg-always-trust
to your command.
─╼ eyaml recrypt -n gpg --gpg-always-trust hieradata/secrets.yaml
Will add more when finding something worth mentioning!