Forge Home


Simple encryption/decryption of secret data for Puppet


10,197 latest version

4.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.2.0 (latest)
  • 0.1.1
  • 0.1.0
released Aug 7th 2014

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'devopsy-puppet_decrypt', '0.2.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add devopsy-puppet_decrypt
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install devopsy-puppet_decrypt --version 0.2.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Tags: security


devopsy/puppet_decrypt — version 0.2.0 Aug 7th 2014

Table of Contents generated with DocToc

Build Status Dependency Status Code Climate


Notice: The default secret key location is now /etc/puppet-decrypt/encryptor_secret_key

Puppet Decrypt is a gem that gives puppet the ability to encrypt and decrypt strings. This is useful for making sure secret data - like database passwords - remains secret. It uses a model similar to jasypt Encrypting Application Configuration Files or Maven Password Encryption. It is a simple alternative to the Secret variables in Puppet with Hiera and GPG approach.

Comparison with Hiera-GPG


  • Store encrypted secret variables and related non-secret variables in the same file.
  • Version control friendly - you can easily see when a variable was added, changed, or removed even if you don't know the exact value.
  • Works with any data source. Combine it with Hiera, extlookup, external node classifiers, exported resources, or any other source of data.
  • Simple administration - no keyring management.


  • Uses a shared secret instead of asymetric keypairs. This means that the "master password" is shared by all admins. It is also shared by all machines that need to decrypt the same value (usually machines in the same environment).
  • Less integrated with Hiera. You need to wrap calls as decrypt(hiera('my_db_password')).

The shared secret "master password" may seem more difficult to grant and revoke access than the asymetric keypair approach used by hiera-gpg. However both systems are protecting shared secret data! So if you want to fully revoke someone's access you need to change or revoke their decryption key (which is easier with hiera-gpg) AND to change any secrets that key protected (e.g.: your production database passwords).


Via Gem

It should be possible to install via a Gem in Puppet 3+. However, this method is easier, but does seem to have some quirks. If you have any issues, try installing as a module instead.

Add this line to your application's Gemfile:

gem 'puppet-decrypt'

And then execute:

$ bundle

Or install it yourself as:

$ gem install puppet-decrypt

Installing as a Module

If installing as a module, you'll need to deal with the Gem prerequisites manually.

$ gem install encryptor

Puppet Decrypt can be installed with the puppet module subcommand, which is included in Puppet 2.7.14 and later.

$ sudo puppet module install devopsy-puppet_decrypt

The command will tell you where it is installing the module; take note:

$ sudo puppet module install devopsy/puppet_decrypt
warning: iconv couldn't be loaded, which is required for UTF-8/UTF-16 conversions
Preparing to install into /etc/puppet/modules ...
Downloading from ...
Installing -- do not interrupt ...
└── devopsy-puppet_decrypt (v0.1.0)

After installing it, you must add the lib directory of the module to your $RUBYLIB. Add the following to your .profile file (replacing /etc/puppet/modules with the directory from the install command, if necessary), then run source ~/.profile to re-load it in the current shell:

export RUBYLIB=/etc/puppet/modules/puppet_decrypt/lib:$RUBYLIB

You can verify that it is installed and usable by running:

# puppet help crypt


Basic Usage

Put the secret key in /etc/puppet-decrypt/encryptor_secret_key on machines where puppet needs to decrypt the value. Make sure the file's read permissions are restricted!

Use the puppet face to encrypt a value

$ puppet crypt encrypt my_secret_value

Or to decrypt a value

$ puppet crypt decrypt ENC[ANN3I3AWxXWmr5QAW3qgxw==]

Put that value into hiera, extlookup, or any other data source you want. Hiera example:

database_password: ENC[ANN3I3AWxXWmr5QAW3qgxw==]

In your puppet code, load the value normally and then pass it to decrypt.


Or encrypt a secret passing it to encrypt, if you need to save the secret to external storage, for example.

$encrypted_secret_to_save = encrypt($data)

Overriding the secret key

Puppet Decrypt now supports using more than just the default secret key location. You can easily use multiple secret keys for the same project.

For the Puppet face, you just use the --secretkey option to pass an alternate secret key location.

$ echo 'example' > alt_key.txt
$ puppet crypt encrypt abc123 --secretkey alt_key
$ puppet crypt decrypt ENC[c4S4hMCDv1b7FkZgOBRTOA==] --secretkey alt_key

There are two ways to use the alternate keys from the function. You can pass it it as part of the string in this format:

database_password: ENC:alt_key[c4S4hMCDv1b7FkZgOBRTOA==]

If you do that, instead of using the default secret key, it will look for alt_key in the same directory. So instead of /etc/puppet-decrypt/encryptor_secret_key it will use /etc/puppet-decrypt/alt_key.

Alternately, you can pass a hash to the function, containing a value and a secret key, like this:

  value: 'ENC[G6MjBDDFcapYLaKBFJvPSg==]'
  secretkey: '/any/path/you/another/key'

This has the advantage of letting you place keys in alternate directories, not just /etc/puppet-decrypt.

If you use this alongside hiera, you can just switch the lookup from hiera to hiera-hash:


See features/hiera.feature for complete examples.


  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request