The Puppet Infrastructure team supports encryption of hiera yaml data via the hiera-eyaml ruby gem. If you want encryption of hiera yaml data, email the Puppet Infrastructure team its-puppet-infra@iowa.uiowa.edu and we will privately exchange keys.
Recommendations:
- Use the Sensitive () data type to redact sensitive data from logs and reports
- Use 'show_diff => false' in the file resources that contain sensitive data
- Use the node_encrypt module to encrypt secrets and only decrypt them on the node itself
We currently do not support any other encryption schemes for Puppet Enterprise.
Note about encryption: Files may be encrypted in the Git repository but that does not protect them from leaking through PuppetDB, reports in the PE console or in server logs.