I'm commonly using hiera-eyaml-gpg inside hiera in puppet and came across quite interesting problem.
ASSUMPTIONS
Lets assume we have everyting ready to do the encryption around secrets in YAML:
hiera-eyaml-gpginstalled- either
gpgmeorruby_gpggems installed- ruby-dev package installed
- gpg agent working and handing local keyring
So lets assume we have all of that above and we want to edit some yaml with encrypted variables. EYAML is keeping all allowed keys in hiera-eyaml-gpg.recipients and keys that are missing in our local keyring we can search and import from any remore server
gpg --keyserver pgp.mit.edu --search-keys <ID|email>
THE PROBLEM
While adding new encrypted variables and trying to save the file I started to have this error when writing:
...
[hiera-eyaml-core] Unusable public key
I've tried to debug with both verbose logging and strace but didn't able to figure it out.
While checking the GPG setup around agent and config I've noticed a old revoked key in my local keyring:
pub rsa2048/E3545A56 2016-03-14 [SC] [revoked: 2016-03-17]
uid [ revoked] Bartlomiej Jakubowski (natur) <bart@jakubowski.in>
SOLUTION
Now its kind of obvieus but when looking for this I had no idea this can be a problem. I will call it a good lesson for the future :)
Usefull links
- hiera-eyaml - backend for Hiera that provides per-value asymmetric encryption of sensitive data
- hiera-eyaml-gpg - GPG encryption backend for the hiera-eyaml module