Geek Answers Handbook

How to securely store TLS / SSL key files in Git for Puppet?

How would you securely lock the TLS / SSL keys for your HTTP in the source control so that they can be used by Puppet? What tools and methods do you use to encrypt / decrypt these files? In particular, which tools simplify automation as much as possible.

+7
git puppet
source share
3 answers

Not to mention personal experience, but, as I understand it, a common practice is

  • store data such as keys and passwords in hiera, and
  • protect them with eyaml with hiera-eyaml backend

It supports editing decrypted values ​​using the editor of your choice, if you have access to the private key.

The Puppet wizard also needs key access so that it can forward sensitive information to agents.

As far as security is concerned, it saves you from all your secrets if the master machine is completely compromised (but really, if this happens to you, you should consider all your machines and their data should also be compromised).

+4
source share

You can store your certificates in any SCM, including Git, without any problems. Storing a private key in SCM is not a good practice; you will need to find a way to restrict access only to those who need access to private keys (and this should be a small number of people). You have two main options:

  • securely store secret keys; or,
  • Recover key pairs on each client.

This is not considered best practice, but you can store secret keys encrypted in the PKCS-12 archive (protected by a strong password known only to those who need access to private keys) before placing them in a repository such as SCM or FS and etc. When a new service is created, the final step in the build process is for the system administrator to manually decrypt the keystore.

It is best to regenerate keys for new service instances, but this requires sending your CSR for the new service to your CA after the build is complete.

Both scenarios require manual work to complete the installation process. In an attempt to automate this process, some encode the PKCS-12 password in a script setup - this is not considered best practice.

Here is the Puppet plugin that can help in this process:

https://github.com/puppetlabs/puppetlabs-java_ks

+2
source share

Private keys are not suitable for automatic distribution. Because they must be highly encrypted to ensure their security for distribution, which requires manual intervention to decrypt. This negates the automatic bit.

Also, they should not be stored in the repository, because it may be more accessible than you think. If you are not careful, your private keys may end up on github . It probably happens more often than you think.

0
source share

More articles:


All Articles