Public | Automated Build

Last pushed: 2 years ago
Short Description
Short description is empty for this repo.
Full Description

Raziel is a Hiera backend, that allows you to encrypt certain Hiera
keys. So passwords can be securely store (eg. on GitHub).

Raziel works with Puppet 2.7 and Puppet 3.x. Latest tested version is Puppet 3.2.1.


We want to treat infrastructure as code. So code is version controlled
(we use git). But what about passwords/credentials?

Puppet uses a project call "hiera" to read settings from a
configuration db. The configuration db is different per environment
and values come from a .yaml file.

Now one has to protect the .yaml file as is contains production
passwords. - What to do? - Raziel is the answer! It will encrypt the stuff.

What is Raziel?

Talk at Berlin DevOps Q1/2013

Raziel comes with two parts

  1. A frontend for you handle all the encryption.
  2. A hiera backend, that will decrypt the values transparently.

Current state

Raziel is used in production since December 2013. It's been used on 5
Puppetmasters and ~70 servers.

Raziel currently just works, but it could need some love. It started
as proof-of-concept and you still see this in parts of the code...


It's recommended to run Raziel with Ruby 1.9. It SHOULD run with 1.8
and is UNTESTED with 2.0.


Basic Ruby Version Manager (RVM) setup

  • is needs Ruby 1.9 (due to the yaml engine changes in Ruby 1.8 -> 1.9)
    • install RVM: curl -L | bash -s stable --ruby
    • add to your .bashrc, delete .bash_profile
    • make the system Ruby the default (otherwise may get errors with Vagrant, etc): rvm reset
  • Raziel was NOT tested with Ruby 2.0 - happy to see your feedback and pull requests

  • brew install gpgme

  • GEMs to install
    • gpgme
    • cucumber
    • aruba
    • ptools
    • highline
    • cd <raziel.git> && gem install <GEM>
  • make sure Ruby 1.9.3 is the active version


Build the package via dpkg build-package

How to run?

See all available commands:
cd <raziel.git>

How to simply edit a file:
./bin/raziel edit <your_file>

Run the tests

  • on Mac cucumber -p mac
  • anywhere else just cucumber

Tech doc

Used file extensions

  • .yaml.enc -> YAML files with encrypted keys: ENC(...)
  • .yaml.plain -> YAML files with plain keys: PLAIN(...)
  • .yaml.key-> settings used for encryption/decryption
    • password: used for symmetric encryption
    • recipients: used to encrypt the file itself
  • .yaml.key.asc-> encrypted settings

How does it look?

Inside the .yaml files protect your sensitive information by putting
PLAIN( ... ) around it. Everything withing the braces will be
encrypted and the result will be stores as ENC( .... ).

Alternative solutions


Raziel could be re-written to work as an additional layer on top of
other backends. So other backends (like Mongo) could be used.

Using raziel inside a Docker container

Use Example

docker run -t -i -v $HOME/.gnupg:/root/.gnupg/ -v $HOME/my-credentials/:/root/credentials/ onibox/raziel view /root/credentials/foo.yaml.enc

To ease the use you can put the following lines into your bash .profile:

function raziel { docker run -t -i -v $HOME/.gnupg:/root/.gnupg/ -v `dirname $2`:/root/cred/ onibox/raziel $1 /root/cred/`basename $2`; }
export -f raziel

Then you can run commands like

raziel view ./my-credentials/foo.yaml.enc
Docker Pull Command
Source Repository