
My journey to securing sensitive data in Puppet code - rbanffy
https://puppet.com/blog/my-journey-securing-sensitive-data-puppet-code
======
mosselman
I always find deploying secure information the most frustrating thing to learn
about provisioning tools. I am not a sysadmin, but a developer, so I just want
to deploy my projects. The thing is that I know too much about provisioning to
just throw money at Heroku (for example) even though Heroku is a great product
and I'd highly recommend it for serious projects, just not for semi-serious
projects that don't make you money.

The problem with secrets and security in general for tools like Kubernetes,
docker-swarm, etc, etc is that 99% of articles and tutorials don't talk about
those aspects, at least not in a production-ready sense. Most tutorials you
can find talk about everything from a getting-to-know-xyz sense, not this-is-
how-you-deploy-for-real-with-xyz.

I have been using Dokku for a few years without really having to dive into the
details. The only problem of course is that it is single node and not for
clusters.

~~~
LandR
>Most tutorials you can find talk about everything from a getting-to-know-xyz
sense, not this-is-how-you-deploy-for-real-with-xyz.

This is 99% of development / technical blogs / tutorials on the internet. Most
are completely useless if you actually want information you can use in
production systems.

The problem is the standard of developer today is so low, most don't even know
you can't just copy and paste from Joe Bloggs blog post and viola you have
production code...

------
xenophonf
At some point we'll probably transition to a proper secret vaulting solution,
but for now I'm taking advantage of SaltStack's GPG renderer to embed GnuPG-
encrypted values into our (Git-versioned) configuration data:

[https://docs.saltstack.com/en/latest/ref/renderers/all/salt....](https://docs.saltstack.com/en/latest/ref/renderers/all/salt.renderers.gpg.html)

However, I often struggle to correctly format the YAML dictionaries in which
I've embedded GPG-encrypted data. It is so tedious---especially when changing
an encrypted value---to have to encrypt the secret, paste it into the Pillar
SLS file, and carefully re-indent each line. It's especially tedious using
Emacs, as a bug in yaml-mode treats the leading "\---" in the GPG message
start/end markers as signaling the start of a new YAML document, preventing me
from highlighting the entire file and running indent-region.

Fortunately, there's an easier way thanks to the Jinja renderer's import_text
function. First, save the secret in a file with a name that ends in ".gpg", as
Emacs' EasyPG Assistant (EPA) will transparently decrypt such a file on read
and re-encrypt it on write. Second, use import_text to load the ".gpg" file
into a variable. Third, reference this variable in the appropriate Pillar key
like any other Jinja variable, filtering it through yaml_encode. Your Pillar
SLS files go from looking like this:

    
    
      #!jinja|yaml|gpg
      
      a-secret: |
        -----BEGIN PGP MESSAGE-----
        Version: GnuPG v1
      
        Base-64-encoded message text...
        -----END PGP MESSAGE-----
    

To looking like this, with the added bonus that changing secrets becomes much
easier:

    
    
      #!jinja|yaml|gpg
      
      {% import_text "a-secret.gpg" as a_secret %}
      
      a-secret: {{ a_secret|yaml_encode }}
    

Make sure to add the armor option to "~/.gnupg/gpg.conf", otherwise
import_text will throw UnicodeDecodeError exceptions.

------
tapoxi
For my k8s secrets I've been using sops:
[https://github.com/mozilla/sops](https://github.com/mozilla/sops)

It supports GCP/AWS KMS, so as long as my GCP user account can read the
keychain, I can decrypt the secret. Very simple and does the job.

------
nineteen999
ansible-vault is great for this. Obviously it doesn't help puppet users.

The one thing I like about it is that its bundled with ansible, so you don't
have to rely on version-control specific tools (eg. git-crypt) or third-party
tools (Hashicorp Vault).

Yes I appreciate Vault has many more features but if you just need to encrypt
a handful of secrets and you're already using ansible its a no brainer.

------
pcr0
I've had good experiences with committing <some-plaintext-config-file> with
git-crypt.

