1 JAMES SHUBIN

Securely managing secrets with FreeIPA and Puppet

James Shubin, @purpleideaConfig Mgmt. ArchitectSystems Engineering Group, Red Hat

Puppet Camp, Boston 2014

2 JAMES SHUBIN

Who am I ?

● Puppet Hacker

● Config Mgmt. Architect @ Red Hat

● Technical Blogger: The Technical Blog of Jameshttps://ttboj.wordpress.com/

● Physiologist (Cardiology Specialization)

● All around hoopy frood...

3

JAMES SHUBIN

the status-quo of secret management in puppet is

pretty poor...

4 JAMES SHUBIN

Example 1

class { '::foo':

password => 'super-secret-thing',

bad_idea => true,

}

5 JAMES SHUBIN

6 JAMES SHUBIN

Example 2

class { '::foo':

hashed => '$1$mF86/UHC$WvcIcX2t6crBz2onW...',

bad_idea => true,

}

7 JAMES SHUBIN

8 JAMES SHUBIN

Example 3

# secret.yaml

---

foo::params::password: 'ohai'

foo::params::bad_idea: true

9 JAMES SHUBIN

10

JAMES SHUBIN

there are some solutions which are better than others, but they are still not perfect...

11 JAMES SHUBIN

hiera-gpg

● Cute, but private key management can be a problem...

● Probably a good idea for existing infrastructures, where you have one repo that is widely shared...

● Other issues: http://slashdevslashrandom.wordpress.com/2013/06/03/my-griefs-with-hiera-gpg/

● Code: https://github.com/crayfishx/hiera-gpg

12 JAMES SHUBIN

hiera-eyaml

● Better than hiera-gpg !

● Still has a private key management problem...

● Comes with nice secret editing tools...

● We still have to trust puppet more than necessary...

● Code: https://github.com/TomPoulton/hiera-eyaml

13 JAMES SHUBIN

blackbox

● Same problems as all the other asymmetric solutions

● Nice documentation !

● Honest and upfront about the risks...

● Comes with 20% more Limoncelli :)

● Code: https://github.com/StackExchange/blackbox

14

JAMES SHUBIN

do I love any of these solutions ?

15 JAMES SHUBIN

NOPE

JAMES SHUBIN

My solution...

17 JAMES SHUBIN

Local secret generation

● Good DevOps hackers use/know/love GPG (PGP)

● Tell puppet about your public key

● Locally generate and encrypt secrets with public key

● Optionally mail it out to your admin email address

● Use FreeIPA to build out your security infrastructure

JAMES SHUBIN

live demo...

19 JAMES SHUBIN

Red Hat funds good hackers so that we can...

● Work on open source / free software things...

● Speak at events like this...

● Hack on good products and solutions...

● For access to products, solutions, and support, visit:

ht tps: / / redhat .com/

20 JAMES SHUBIN

Learn more

● The Technical Blog of James:https://ttboj.wordpress.com/

● Puppet-IPA:https://github.com/purpleidea/puppet-ipa

● Technical article about this technique:https://ttboj.wordpress.com/2014/06/06/securely-managing-secrets-for-freeipa-with-puppet/

● Contact me if you have any other questions:purpleidea @ { irc, twitter, redhat.com }

JAMES SHUBIN

Q & A ?

JAMES SHUBIN

Thank you & Happy Hacking !