The document discusses securely managing secrets with FreeIPA and Puppet. It describes existing solutions like hiera-gpg and hiera-eyaml as not being perfect due to private key management problems and having to trust Puppet too much. The proposed solution generates secrets locally using GPG encryption with a public key and stores them in FreeIPA for access management. The presentation concludes with information on learning more about this technique.
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (Intermediate)
1. Securely managing secrets
with FreeIPA and Puppet
James Shubin, @purpleidea
Config Mgmt. Architect
Systems Engineering Group, Red Hat
Puppet Camp, Boston 2014
1 JAMES SHUBIN
2. Who am I ?
● Puppet Hacker
● Config Mgmt. Architect @ Red Hat
● Technical Blogger: The Technical Blog of James
https://ttboj.wordpress.com/
● Physiologist (Cardiology Specialization)
● All around hoopy frood...
2 JAMES SHUBIN
3. 3
the status-quo of secret
management in puppet is
pretty poor...
JAMES SHUBIN
4. Example 1
class { '::foo':
password => 'super-secret-thing',
bad_idea => true,
}
4 JAMES SHUBIN
10. there are some solutions
which are better than others,
but they are still not perfect...
10
JAMES SHUBIN
11. hiera-gpg
● Cute, but private key management can be a problem...
● Probably a good idea for existing infrastructures,
where you have one repo that is widely shared...
● Other issues:
http://slashdevslashrandom.wordpress.com/2013/06/0
3/my-griefs-with-hiera-gpg/
● Code: https://github.com/crayfishx/hiera-gpg
11 JAMES SHUBIN
12. hiera-eyaml
● Better than hiera-gpg !
● Still has a private key management problem...
● Comes with nice secret editing tools...
● We still have to trust puppet more than necessary...
● Code: https://github.com/TomPoulton/hiera-eyaml
12 JAMES SHUBIN
13. blackbox
● Same problems as all the other asymmetric solutions
● Nice documentation !
● Honest and upfront about the risks...
● Comes with 20% more Limoncelli :)
● Code: https://github.com/StackExchange/blackbox
13 JAMES SHUBIN
14. 14
do I love any of these
solutions ?
JAMES SHUBIN
17. Local secret generation
● Good DevOps hackers use/know/love GPG (PGP)
● Tell puppet about your public key
● Locally generate and encrypt secrets with public key
● Optionally mail it out to your admin email address
● Use FreeIPA to build out your security infrastructure
17 JAMES SHUBIN
19. Red Hat funds good hackers so that we can...
● Work on open source / free software things...
● Speak at events like this...
● Hack on good products and solutions...
● For access to products, solutions, and support, visit:
ht tps: / / redhat .com/
19 JAMES SHUBIN
20. Learn more
● The Technical Blog of James:
https://ttboj.wordpress.com/
● Puppet-IPA:
https://github.com/purpleidea/puppet-ipa
● Technical article about this technique:
https://ttboj.wordpress.com/2014/06/06/securely-managing-
secrets-for-freeipa-with-puppet/
● Contact me if you have any other questions:
purpleidea @ { irc, twitter, redhat.com }
20 JAMES SHUBIN