The Puppet Infrastructure team supports encryption of hiera yaml data via the hiera-eyaml ruby gem. If you want encryption of hiera yaml data, email the Puppet Infrastructure team its-puppet-infra@iowa.uiowa.edu and we will privately exchange keys. 

Recommendations: 

  • Use the Sensitive () data type to redact sensitive data from logs and reports
  • Use 'show_diff => false' in the file resources that contain sensitive data
  • Use the node_encrypt module to encrypt secrets and only decrypt them on the node itself 

We currently do not support any other encryption schemes for Puppet Enterprise.

Note about encryption: Files may be encrypted in the Git repository but that does not protect them from leaking through PuppetDB, reports in the PE console or in server logs. 

Last updated
Article number
5616