I'm commonly using hiera-eyaml-gpg inside hiera in puppet and came across quite interesting problem.


Lets assume we have everyting ready to do the encryption around secrets in YAML:

  • hiera-eyaml-gpg installed
  • either gpgme or ruby_gpg gems installed
  • ruby-dev package installed
  • gpg agent working and handing local keyring

So lets assume we have all of that above and we want to edit some yaml with encrypted variables. EYAML is keeping all allowed keys in hiera-eyaml-gpg.recipients and keys that are missing in our local keyring we can search and import from any remore server

gpg --keyserver pgp.mit.edu --search-keys <ID|email>


While adding new encrypted variables and trying to save the file I started to have this error when writing:

[hiera-eyaml-core] Unusable public key

I've tried to debug with both verbose logging and strace but didn't able to figure it out.
While checking the GPG setup around agent and config I've noticed a old revoked key in my local keyring:

pub   rsa2048/E3545A56 2016-03-14 [SC] [revoked: 2016-03-17]
uid         [ revoked] Bartlomiej Jakubowski (natur) <bart@jakubowski.in>


Now its kind of obvieus but when looking for this I had no idea this can be a problem. I will call it a good lesson for the future :)

  • hiera-eyaml - backend for Hiera that provides per-value asymmetric encryption of sensitive data
  • hiera-eyaml-gpg - GPG encryption backend for the hiera-eyaml module