Make the following settings in hiera.yaml to enable the hiera-eyaml backend, and provide access to the keys and data files:
- Set the lookup_key property to the value eyaml_lookup_key in order to use the new eyaml backend
- Add the locations of the encryption keys to the options hash
- Change all the file paths to eyaml rather than YAML file extensions:
---
version: 5
hierarchy:
- name: "Encrypted and regular data"
lookup_key: eyaml_lookup_key paths:
- “nodes/%{trusted.certname}.eyaml”
- “%{facts.application}.eyaml”
- “%{server_facts.environment}.eyaml”
- “%{facts.datacenter}.eyaml”
- "common.eyaml"
options:
pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem
pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem
defaults:
datadir: data
With this configuration, you can store both encrypted and plaintext keys and values into your eyaml data files.