The Puppet Infrastructure team supports encryption of hiera yaml data via the hiera-eyaml ruby gem. If you want encryption of hiera yaml data, email the Puppet Infrastructure team its-puppet-infra@iowa.uiowa.edu and we will privately exchange keys. 

Recommendations: 

• Use the Sensitive () data type to redact sensitive data from logs and reports
• Use 'show_diff => false' in the file resources that contain sensitive data
• Use the node_encrypt module to encrypt secrets and only decrypt them on the node itself 

We currently do not support any other encryption schemes for Puppet Enterprise.

Note about encryption: Files may be encrypted in the Git repository but that does not protect them from leaking through PuppetDB, reports in the PE console or in server logs.