The Puppet Infrastructure team supports encryption of hiera yaml data via the hiera-eyaml ruby gem. If you want encryption of hiera yaml data, email the Puppet Infrastructure team email@example.com and we will privately exchange keys.
- Use the Sensitive () data type to redact sensitive data from logs and reports
- Use 'show_diff => false' in the file resources that contain sensitive data
- Use the node_encrypt module to encrypt secrets and only decrypt them on the node itself
We currently do not support any other encryption schemes for Puppet Enterprise.
Note about encryption: Files may be encrypted in the Git repository but that does not protect them from leaking through PuppetDB, reports in the PE console or in server logs.