The Puppet Infrastructure team supports encryption of hiera yaml data via the hiera-eyaml ruby gem. If you want encryption of hiera yaml data, email the Puppet Infrastructure team and we will privately exchange keys. 


  • Use the Sensitive () data type to redact sensitive data from logs and reports
  • Use 'show_diff => false' in the file resources that contain sensitive data
  • Use the node_encrypt module to encrypt secrets and only decrypt them on the node itself 

We currently do not support any other encryption schemes for Puppet Enterprise.

Note about encryption: Files may be encrypted in the Git repository but that does not protect them from leaking through PuppetDB, reports in the PE console or in server logs. 

Article number: 
Last updated: 
September 22, 2022