In some puppet workflows, EYAML GPG Encryption is used to encrypt/decrypt secrets in yaml files (hiera data). There where two solutions to manage it

  • hiera-gpg (already deprecated )
  • hiera-eyaml - backend for Hiera that provides per-value asymmetric encryption of sensitive data

Using hiera-eyaml day to day I wanted to gather some common issues and solutions that you can find with this tool.

I assume your setup is already in place and all requirements are met:

  1. configuration should be stored in a version control system
  2. sensitive data is stored and transmitted securely
  3. only puppet master is able to decrypt data
  4. anybody should be able to encrypt data

Adding a new collabolator to the flow will force to recrypt everything.

Problem 1

Trying to recrypt  secret yaml file

─╼ eyaml recrypt -n gpg hieradata/secrets.yaml 
[hiera-eyaml-core] Encryption is only supported when using the 'gpgme' gem
...

Solution is quite simple and only thing to do is to add gpgme rather than use ruby_gpg

Problem 2

─╼ eyaml recrypt -n gpg hieradata/secrets.yaml
[hiera-eyaml-core] Key 02EF052A (test@example.com) not trusted (if key trust is established by another means then specify always-trust)

Solution also quite straightforward: either you need to sign the key or if you dont want to do it just add --gpg-always-trust to your command.

─╼ eyaml recrypt -n gpg --gpg-always-trust hieradata/secrets.yaml

Will add more when finding something worth mentioning!