voxpupuli / hiera-eyaml-gpg Goto Github PK

View Code? Open in Web Editor NEW

49.0 49.0 36.0 119 KB

GPG encryption backend for the hiera-eyaml module

License: MIT License

Ruby 99.18% Shell 0.82%

hacktoberfest

hiera-eyaml-gpg's Introduction

hiera-eyaml-gpg

GPG encryption backend for the hiera-eyaml module.

Motivation

The default PKCS#7 encryption scheme used by hiera-eyaml is perfect if only simple encryption and decryption is needed.

However, if you are in a sizable team it helps to encrypt and decrypt data with multiple keys. This means that each team member can hold their own private key and so can the puppetmaster. Equally, each puppet master can have their own key if desired and when you need to rotate keys for either users or puppet masters, re-encrypting your files and changing the key everywhere does not need to be done in lockstep.

Requirements

You'll need a working GPG setup with your own keypair and a public keyring containing any other keys that you want to work. GnuPG must be at least v2.

To get started, install the hiera-eyaml-gpg gem.

$ gem install hiera-eyaml-gpg

You will also need to install either the gpgme (recommended) or ruby_gpg gem:

$ gem install gpgme

$ gem install ruby_gpg -v ">=0.3.1"

Note: you will need to use ruby_gpg with the Puppet server as it uses JRuby which cannot make use of native extensions such as gpgme.

If you haven't already installed it, this requires and will install the hiera-eyaml gem, which you should probably acquaint yourself with at https://github.com/voxpupuli/hiera-eyaml.

Note that in order to install the gpgme gem you'll need to have the ruby development package installed for your distribution.

For use on puppetserver

As root

/opt/puppetlabs/puppet/bin/gem install hiera-eyaml-gpg ruby_gpg
/opt/puppetlabs/server/bin/puppetserver gem install hiera-eyaml-gpg ruby_gpg

Puppet versions

This project supports Puppet 5.5.8 and later.

How to use

Encrypting and editing encrypted data

Once installed you can create encrypted hiera-eyaml blocks that are encrypted using GPG.

$ eyaml encrypt -n gpg -s "A secret string to encrypt" --gpg-recipients [email protected],[email protected]

If you do not have a web of trust (i.e. you normally use --always-trust for gpg signing) then you'll need to use the --gpg-always-trust option on the command line.

It gets pretty dull to keep on remembering which recipients you should use, so you can put them in a file and specify that instead.

$ eyaml encrypt -n gpg -s "A secret string to encrypt" --gpg-recipients-file hiera-eyaml-gpg.recipients

In fact, when editing a file on disk and neither of the --gpg-recipient options are provided it will automatically look for a hiera-eyaml-gpg.recipients file in the same directory as the file being edited (or any parent in the tree). The first file discovered will be used allowing different parts of a hiera tree to have different recipients if so desired.

Use eyaml --help for more details or look at the hiera-eyaml docs.

Configuring hiera

This assumes you have a working hiera and hiera-eyaml. Please note that the private GPG key must not have a passphrase.

Each level of the hierarchy must specify the gpg_gnupghome option with the path to the keyring as well as specifying lookup_key with the value eyaml_lookup_key. The following example shows a simple hierarchy.

---
version: 5
defaults:
hierarchy:
  - name: "Per-node data (yaml version)"
    lookup_key: eyaml_lookup_key
    options:
      gpg_gnupghome: /opt/puppetlabs/server/data/puppetserver/.gnupg
    path: "nodes/%{::trusted.certname}.yaml"
  - name: "Role data"
    lookup_key: eyaml_lookup_key
    options:
      gpg_gnupghome: /opt/puppetlabs/server/data/puppetserver/.gnupg
    paths:
      - "role/%{facts.role}.yaml"
  - name: "Per platform data"
    lookup_key: eyaml_lookup_key
    options:
      gpg_gnupghome: /opt/puppetlabs/server/data/puppetserver/.gnupg
    paths:
      - "kernel/%{::kernel}.yaml"
      - "osfamily/%{::osfamily}.yaml"
      - "osfamily/%{::osfamily}-%{::operatingsystemmajrelease}.yaml"
  - name: "Default"
    lookup_key: eyaml_lookup_key
    options:
      gpg_gnupghome: /opt/puppetlabs/server/data/puppetserver/.gnupg
    paths:
      - "common.yaml"

For command line uses such as puppet lookup where the gpg_gnupghome setting in the hiera.yaml configuration does not match a directory the user has access to, you can override the gpg_gnupghome setting by setting the path in the environment variable HIERA_EYAML_GPG_GNUPGHOME and, if set, that will be used instead of gpg_gnupghome.

$ HIERA_EYAML_GPG_GNUPGHOME=~/.gnupg puppet lookup my_key

Authors

Thanks to Simon Hildrew for the inital code. Other contributors can be seen at https://github.com/voxpupuli/hiera-eyaml-gpg/graphs/contributors

hiera-eyaml-gpg's People

Contributors

Stargazers

Watchers

hiera-eyaml-gpg's Issues

Encryption should fail if don't have hiera-gpg key on my keyring

Hi guys,
I was enable to encrypt a value using eyaml and not having all the key on my keyring. Basically I have a mismatch between the keys on my keyring and the keys declare on --gpg-recipients-file.
I think this should fail and give a meaningful error message, explaining how to fix it.

Regards and thanks

Great Soft!!

unknown argument '--gpg-recipients'

I'm trying to get set up with hiera-eyaml-gpg, but the gem doesn't appear to be registering with hiera-eyaml. In particular, I'm getting the following error:

$ eyaml -n gpg -s 'admin' --gpg-recipients "[email protected]"
Error: unknown argument '--gpg-recipients'.
Try --help for help.

I've double checked that hiera-eyaml-gpg is installed, since the error would seem to indicate that it isn't present:

$ gem list --local

*** LOCAL GEMS ***

gpgme (2.0.2)
hiera-eyaml (1.3.4)
hiera-eyaml-gpg (0.1)
highline (1.6.20)
json (1.5.5)
trollop (2.0)

Any ideas what may be going on, or how I could get hiera-eyaml-gpg to register with hiera-eyaml?

Use gpg-agent when using the edit option

Is there a way which the plugin can utilize the gpg-agent so we don't have to input the key password for each value which we are trying to edit?

I may have an eyaml file with 4-6 encrypted values and it can get pretty painful to type in my password 6 times.

I would be happy to help code this up if I can get some direction on how I should do this (I'm relatively new to the details of GPG).

Output eyaml filepath and key when decryption fails

In a similar way to #35, I'm using more than one gpg key (dev and production environments have their own puppet servers). If decryption fails (because I've perhaps forgotten to provide an override value in say ./hiera/environment/prod.yaml), it'd be really helpful if the plugin output a bit more than failed with: gpg: decryption failed: No secret key. Would hiera-eyaml-gpg be able to output the file and line number of the yaml file being read at the time?

Perhaps this isn't possible, but anything to help speeding up tracking down where I've messed up would be great!
Thanks.

wrong version in version.rb

version.rb still says 0.5, it should be updated to 0.6 or maybe 0.7?

Also use default gpg recipients file with `eyaml encrypt`

When editing a file using eyaml edit it automatically searches for hiera-eyaml-gpg.recipients if not specified otherwise. But when using eyaml encrypt, a recipients file must always be provided explicitely. Please also let the eyaml encrypt command lookup the default recipients file in the current working directory (and maybe also in its parents).

default recipient file not looked for in cwd hierarchy

The strategy for finding hiera-eyaml-gpg.recipients assumes the workflow that file-to-be-encrypted is going to be in the same file hierarchy as the recipients file. def self.find_recipients under lib/hiera/backend/eyaml/encryptors/gpg.rb

Another workflow is to share the default recipients file in the same hierarchy as the hiera files themselves with the file to be encrypted outside the hierarchy. Unlike the defaults file and the rest of the encrypted files under the hierarchy, the file-to-be-encrypted is not safe to be stored as-is. It is advantageous to store it elsewhere, to avoid any accidental check-ins.

In the case that we fail find the recipients file under the hierarchy of the file-to-be-encrypted, it would be great to search under the cwd hierarchy as well.

Compatibility with hiera-eyaml 2.0+

root@puppet:~# gem install hiera-eyaml-gpg
Building native extensions. This could take a while...
Fetching: hiera-eyaml-gpg-0.4.gem (100%)
Successfully installed gpgme-2.0.8
Successfully installed hiera-eyaml-gpg-0.4
2 gems installed
Installing ri documentation for gpgme-2.0.8...
Installing ri documentation for hiera-eyaml-gpg-0.4...
Installing RDoc documentation for gpgme-2.0.8...
Installing RDoc documentation for hiera-eyaml-gpg-0.4...

root@puppet:~# eyaml version
[hiera-eyaml-core] hiera-eyaml (core): 2.0.6
[hiera-eyaml-core] hiera-eyaml-gpg (gem): unknown (is plugin compatible with eyaml 2.0+ ?)

The plugin seems to work properly though.

Editing encrypted credentials fails on GPG v1

I couldn't see this documented anywhere so I wanted to raise it here.

Editing encrypted credentials appears to fail on GPG version 1.x when working with a large number of credentials (119 in our case), including some PEM certificates.

For example:

» gpg
zsh: command not found: gpg
» brew install gpg
[...snip...]
» gpg --version
gpg (GnuPG) 1.4.19
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
» bundle exec eyaml edit -n gpg --gpg-recipients-file gpg_recipients/preview_hiera_gpg.rcp hieradata/preview_credentials.yaml
[gpg] !!! Warning: General exception decrypting GPG file
[hiera-eyaml-core] !!! Bad file descriptor
[hiera-eyaml-core] ["/Users/matt/bundles/ruby/1.9.1/gems/gpgme-2.0.7/lib/gpgme/ctx.rb:391:in `decrypt'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-gpg-0.4/lib/hiera/backend/eyaml/encryptors/gpg.rb:149:in `decrypt'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:15:in `encrypted_value'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:80:in `create_enc_token'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:100:in `create_token'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:71:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/parser/parser.rb:36:in `parse'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/subcommands/edit.rb:36:in `execute'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/CLI.rb:45:in `execute'", "/Users/matt/bundles/ruby/1.9.1/gems/hiera-eyaml-2.0.3/bin/eyaml:13:in `<top (required)>'", "/Users/matt/bundles/ruby/1.9.1/bin/eyaml:23:in `load'", "/Users/matt/bundles/ruby/1.9.1/bin/eyaml:23:in `<main>'"]

GPG version 2.x works:

» brew remove gpg
» brew install gpg2
» gpg2 --version
gpg (GnuPG) 2.0.29
libgcrypt 1.6.4
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA, RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

GPGTools also works fine from me (brew cask install gpgtools):

» gpg --version
gpg (GnuPG/MacGPG2) 2.0.28
libgcrypt 1.6.3
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA, RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

I haven't gotten to the bottom of why - I presume it's something to do with the way the gpgme library invokes the gpg binary over and over for each string to be encrypted.

Checking that we trust recipients breaks GPG's web of trust model

The code at https://github.com/sihil/hiera-eyaml-gpg/blob/master/lib/hiera/backend/eyaml/encryptors/gpg.rb#L129-L138 checks whether the recipients that we are encrypting to are listed as having full validity within the web of trust.

This breaks the concept of the web of trust, since it conflates whether a recipient is who they say they are, and whether you trust a key to sign other keys.

I understand that this was done in order to check that an attacker had not added their own key to the list of recipients, and this is a valid attack to be concerned about, but the trust model is the wrong tool to solve that problem.

The issue that this gives for us is:

We distribute passwordless keys to various public servers, for different stages.
We are happy to encrypt to those keys, if somebody can possess that key they can decrypt the relevant parts of the context. That's a risk model that we already take with puppetmaster's anyway.
However we are not happy to trust those keys to perform encryption or signing. If somebody can possess one of those keys and sign their own key with it, we don't want to trust the new key. If somebody uses one of those keys to write a new encrypted blob to out git repository we don't want to trust that block
We only trust the human managed keys where we have confidence that the person will follow reasonable measures before signing another persons key
Even worse, we have a developer passwordless key that we publish as part of our public repo.
This key is used in vagrant builds to apply known compromised credentials (such as user DB, password: password) to developer machines. We know that key is publicly accessible, and we deliberate set the trust as NEVER for our GPG implementation, so we know that the key cannot ever be trusted to sign or encrypt anything.

Currently, the implementation we have here requires all of the team to trust that compromised key, or to set the always trust option, defeating the point of us setting up a web of trust.

I believe the correct solution here is probably:

Remove the check for whether the recipients are trusted.
To combat the original attack, the recipients list should be signed, and the tool should attempt to verify the signature before using it. The file should only verify the signature if the signing key is trusted, so it proves that a human you trust has modified the recipients list and correctly signed it. Manual recipient lists should work as before.
You probably need a parameter to skip verifying the signature, to allow for upgrades and for users who choose not to use the recipient list signing function (always-trust maybe)
the decrypt function should probably check that the encrypted contents are signed by someone on the web of trust. I believe this is the default in GPGME (sign and encrypt, decrypt and verify). The passwordless keys on the puppetmaster should trust either each member of staff, or a master key that trusts each member of staff (giving a proper web of trust). Only files encrypted by a trusted key should be accepted.

new release for GPG error output fix

Hello,

Can we get a new release that's got commit 2681e99 in it please? I keep getting weird GPG error messages in my password files :-)

-Luke

not usable for encryption on windows due gpgme problem

the dependency gpgme is not usable/installable on windows and ruby_gpg can't be used for encryption.

are there alternative ruby libs out there or would it be an option to do a cli call of gpg.exe?

gpg invocation discards stderr and leaves tempfiles behind

The following change 2681e99#diff-8f7a8cbc7701c45f0dbf2ab3b622433dd6cb94672da8eb7c6ea0f1bcf7b1ad5e causes problems with debuging gpg issues, since stderr is discarded, also, it leaves tmpfiles behind, since unlink is not called

Error: can't convert nil into String

While hiera-eyaml works fine, I get the following error when I switch to hiera-eyaml-gpg (both on server and agent):

Error from DataBinding 'hiera' while looking up 'hiera_test::secret': can't convert nil into String on node the_agent.example.com

Here's a sample class that should demonstrate the problem:

class hiera_test ($secret = undef) {
        file { 'D:/hiera_test':
                ensure => present,
                content => "${secret}",
        }
}

Hiera setup is as follows:


---
:backends:
  - eyaml
  - yaml
:eyaml:
  :datadir: '/etc/puppet/hiera'
  :extension: 'yaml'
  :gpg_gnupghome: '/etc/puppet/keys'
  :gpg_always_trust: true
  :pkcs7_private_key: '/etc/puppet/keys/private_key.pkcs7.pem'
  :pkcs7_public_key: '/etc/puppet/keys/public_key.pkcs7.pem'
:yaml:
  :datadir: '/etc/puppet/hiera'
:hierarchy:
  - "node/%{::fqdn}"
  - "virtual/%{::virtual}"
  - "osfamily/%{::osfamily}"
  - common

I've also tried to put the GPG keys into ~puppet/.gnupg, but that doesn't help, /etc/puppet/keys directory looks as follows:

# ll -a keys
total 28
dr-x------ 2 puppet puppet 4096 Jan 29 14:59 ./
drwxr-xr-x 7 root   root   4096 Jan 29 15:57 ../
-r-------- 1 puppet puppet 1679 Jan 29 14:59 private_key.pkcs7.pem
-r-------- 1 puppet puppet 1050 Jan 29 14:59 public_key.pkcs7.pem
-r-------- 1 puppet puppet 1690 Jan 29 13:27 pubring.gpg
-r-------- 1 puppet puppet 1777 Jan 29 13:27 secring.gpg
-r-------- 1 puppet puppet 1280 Jan 29 13:27 trustdb.gpg

I can edit the yaml files just fine, using

eyaml edit -n gpg --gpg-always-trust --gpg-recipients the_server.example.com /etc/puppet/hiera/common.yaml

and /etc/puppet/hiera/common.yaml looks like this:


---
hiera_test::secret: DEC::GPG[The secret text]!

which is correctly encrypted after saving.

Puppet server is 3.4.2 on RHEL 5.10. Agents are 3.4.2 on Windows Server 2008 R2 and RHEL 5.x.

Other versions:
Hiera: 1.3.1
hiera-eyaml: 2.0.0
hiera-eyaml-gpg: 0.4

eyaml edit: undefined method `plain_text' on save

I have a file foo.eyaml, that, unencrypted, looks like so:

---
postgresql::dbs:
  dbx:
    user: u1
    password: DEC(1)::GPG[Defect9advert-great]!

now I'd like to duplicate this, and have something like:

---
postgresql::dbs:
  dbx:
    user: u1
    password: DEC(1)::GPG[Defect9advert-great]!
  dby:
    user: u2
    password: DEC(2)::GPG[madrid_riot-Knot]!

when saving & closing the editor, I'm getting the following error:

[hiera-eyaml-core] !!! undefined method `plain_text' for #<Hiera::Backend::Eyaml::Parser::NonMatchToken:0x007f630b9c2938>
[hiera-eyaml-core] ["/home/igalic/.gem/ruby/2.1.2/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/subcommands/edit.rb:69:in `block in execute'", "/home/igalic/.gem/ruby/2.1.2/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/subcommands/edit.rb:66:in `map'", "/home/igalic/.gem/ruby/2.1.2/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/subcommands/edit.rb:66:in `execute'", "/home/igalic/.gem/ruby/2.1.2/gems/hiera-eyaml-2.0.3/lib/hiera/backend/eyaml/CLI.rb:45:in `execute'", "/home/igalic/.gem/ruby/2.1.2/gems/hiera-eyaml-2.0.3/bin/eyaml:13:in `<top (required)>'", "/home/igalic/.gem/ruby/2.1.2/bin/eyaml:23:in `load'", "/home/igalic/.gem/ruby/2.1.2/bin/eyaml:23:in `<main>'"]

Using gpg 2.1 and long gpghome paths fails without meaningful error

Gpg 2.1 has problems if you run your gpg-agent from a directory that is more than 108 characters long: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847206

(we had this situation on some machines because our puppet rspec tests use a custom gpg home for testing)

Hiera-eyaml fails in this scenario with an error similar to:
Error from DataBinding 'hiera' while looking up 'foo::bar': Decryption failed on node baz.local

It's reasonable to fail in this scenario, but it'd be much nicer if there were some way to expose the underlying gpg errors, which are rather more meaningful.

Track existing recipients

Edit mode for GPG should track existing recipients and re-encrypt to the same set of keys.

This can't be done for two reasons.

We don't track individual blocks uniquely
and
It isn't possible to get the recipient list out of GPGME as recipients is not implemented in the DecryptResult object.

If these two are fixed then we can make this work.

Does not work with Puppet 5.5.3

Given CentOS 7.5.1804 and Puppet 5.5.3 from the Puppetlabs Yum repo and hiera-eyaml-gpg 0.6 and ruby_gpg 0.3.2, both installed by the /opt/puppetlabs/server/bin/puppetserver gem install command.
When I try to apply my manifests with puppet agent -t
I get Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Internal Server Error: org.jruby.exceptions.RaiseException: (LoadError) no such file to load -- hiera/backend/eyaml/encryptors/gpg
I expected that the GPG backend would have decrypted and applied my test manifest.

undefined method `value' for nil:NilClass

I'm getting this error when I try to decrypt data either via hiera command line tool or via eyaml command line tool. Thus far I don't seem to get errors when puppetserver decrypts the data. The system is RedHat 6.

Full --trace output of eyaml decrypt:

# eyaml decrypt -n gpg --gpg-gnupghome=/etc/puppet/secure/keys/gpg --file=/etc/puppet/hiera/production/hieradata/fqdn/FQDN-OMIT.yaml  --gpg-recipients=puppet@DOMAIN --trace
[hiera-eyaml-core] Dump of eyaml tool options dict:
[hiera-eyaml-core] --------------------------------
[hiera-eyaml-core]           (Symbol) eyaml              =         (NilClass)                   
[hiera-eyaml-core]           (Symbol) file               =           (String) /etc/puppet/hiera/production/hieradata/fqdn/FQDN-OMIT.yaml
[hiera-eyaml-core]           (Symbol) gpg_gnupghome_given =        (TrueClass) true              
[hiera-eyaml-core]           (Symbol) pkcs7_subject      =           (String) /                 
[hiera-eyaml-core]           (Symbol) encrypt_method     =           (String) gpg               
[hiera-eyaml-core]           (Symbol) stdin              =       (FalseClass) false             
[hiera-eyaml-core]           (Symbol) trace_given        =        (TrueClass) true              
[hiera-eyaml-core]           (Symbol) source             =           (Symbol) file              
[hiera-eyaml-core]           (Symbol) pkcs7_private_key  =           (String) ./keys/private_key.pkcs7.pem
[hiera-eyaml-core]           (Symbol) quiet              =       (FalseClass) false             
[hiera-eyaml-core]           (Symbol) version            =       (FalseClass) false             
[hiera-eyaml-core]           (Symbol) input_data         =           (String) ---
                   classes:
                     - role::foreman::web
                   foreman::configure_epel_repo: false
                   foreman::configure_scl_repo: false
                   foreman::db_database: 'foreman'
                   foreman::db_manage: true
                   foreman::db_password: >
                       ENC[GPG,hQEMA.....]
                   foreman::db_type: 'mysql'
                   foreman::db_username: 'foreman'
                   foreman::foreman_url: "https://%{hiera('profile_foreman_host')}"
                   foreman::locations_enabled: false
                   foreman::oauth_active: false
                   foreman::oauth_map_users: false
                   foreman::organizations_enabled: false
                   foreman::puppetrun: true
                   foreman::repo: "%{hiera('foreman_repo')}"
                   #foreman::server_ssl_crl: ""
                   foreman::ssl: true
                   foreman::unattended: true
                   foreman::plugin::puppetdb::address: "https://%{hiera('puppetdb_host')}:8081/v2/commands"
                   foreman::plugin::puppetdb::dashboard_address: "http://%{hiera('puppetdb_host')}:8080/dashboard"
[hiera-eyaml-core]           (Symbol) executor           =            (Class) Hiera::Backend::Eyaml::Subcommands::Decrypt
[hiera-eyaml-core]           (Symbol) pkcs7_public_key   =           (String) ./keys/public_key.pkcs7.pem
[hiera-eyaml-core]           (Symbol) gpg_recipients_file =         (NilClass)                   
[hiera-eyaml-core]           (Symbol) file_given         =        (TrueClass) true              
[hiera-eyaml-core]           (Symbol) gpg_always_trust   =       (FalseClass) false             
[hiera-eyaml-core]           (Symbol) help               =       (FalseClass) false             
[hiera-eyaml-core]           (Symbol) encrypt_method_given =        (TrueClass) true              
[hiera-eyaml-core]           (Symbol) verbose            =       (FalseClass) false             
[hiera-eyaml-core]           (Symbol) gpg_gnupghome      =           (String) /etc/puppet/secure/keys/gpg
[hiera-eyaml-core]           (Symbol) gpg_recipients_given =        (TrueClass) true              
[hiera-eyaml-core]           (Symbol) string             =         (NilClass)                   
[hiera-eyaml-core]           (Symbol) trace              =        (TrueClass) true              
[hiera-eyaml-core]           (Symbol) gpg_recipients     =           (String) puppet@DOMAIN    
[hiera-eyaml-core] --------------------------------
[gpg] GNUPGHOME is /etc/puppet/secure/keys/gpg
[hiera-eyaml-core] undefined method `value' for nil:NilClass
[hiera-eyaml-core] /usr/lib/ruby/gems/1.8/gems/ruby_gpg-0.3.2/lib/ruby_gpg.rb:63:in `run_command'
                   /usr/lib/ruby/1.8/open3.rb:86:in `popen3'
                   /usr/lib/ruby/gems/1.8/gems/ruby_gpg-0.3.2/lib/ruby_gpg.rb:59:in `run_command'
                   /usr/lib/ruby/gems/1.8/gems/ruby_gpg-0.3.2/lib/ruby_gpg.rb:52:in `decrypt_string'
                   /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-gpg-0.6/lib/hiera/backend/eyaml/encryptors/gpg.rb:167:in `decrypt'
                   /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:15:in `encrypted_value'
                   /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:80:in `create_enc_token'
                   /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:110:in `create_token'
                   /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/parser.rb:71:in `parse_scanner'
                   /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'
                   /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/parser.rb:36:in `parse'
                   /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/subcommands/decrypt.rb:58:in `execute'
                   /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/CLI.rb:46:in `execute'
                   /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/bin/eyaml:21
                   /usr/bin/eyaml:19:in `load'
                   /usr/bin/eyaml:19

Hiera trace:

# hiera --config /etc/puppet/hiera.yaml foreman::db_password ::fqdn=FQDN-OMIT ::environment=production
/usr/lib/ruby/gems/1.8/gems/ruby_gpg-0.3.2/lib/ruby_gpg.rb:63:in `run_command': undefined method `value' for nil:NilClass (NoMethodError)
    from /usr/lib/ruby/1.8/open3.rb:86:in `popen3'
    from /usr/lib/ruby/gems/1.8/gems/ruby_gpg-0.3.2/lib/ruby_gpg.rb:59:in `run_command'
    from /usr/lib/ruby/gems/1.8/gems/ruby_gpg-0.3.2/lib/ruby_gpg.rb:52:in `decrypt_string'
    from /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-gpg-0.6/lib/hiera/backend/eyaml/encryptors/gpg.rb:167:in `decrypt'
    from /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:15:in `encrypted_value'
    from /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:80:in `create_enc_token'
    from /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:100:in `create_token'
    from /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:90:in `create_token'
    from /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/parser.rb:71:in `parse_scanner'
    from /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/parser.rb:36:in `parse'
    from /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml_backend.rb:83:in `decrypt'
    from /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml_backend.rb:131:in `parse_string'
    from /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml_backend.rb:101:in `parse_answer'
    from /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml_backend.rb:53:in `lookup'
    from /usr/lib/ruby/site_ruby/1.8/hiera/backend.rb:76:in `datasources'
    from /usr/lib/ruby/site_ruby/1.8/hiera/backend.rb:74:in `map'
    from /usr/lib/ruby/site_ruby/1.8/hiera/backend.rb:74:in `datasources'
    from /usr/lib/ruby/gems/1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml_backend.rb:29:in `lookup'
    from /usr/lib/ruby/site_ruby/1.8/hiera/backend.rb:206:in `lookup'
    from /usr/lib/ruby/site_ruby/1.8/hiera/backend.rb:203:in `each'
    from /usr/lib/ruby/site_ruby/1.8/hiera/backend.rb:203:in `lookup'
    from /usr/lib/ruby/site_ruby/1.8/hiera.rb:60:in `lookup'
    from /usr/bin/hiera:225

decrypt should fail if no keys found

The decrypt function should throw an exception if it is unable to decrypt an encrypted value, eg. if no usable keys are found.

Currently, it prints a warning which is returned as the value of the encrypted parameter.

0.7.0 Release Summary

This is the first release of hiera-eyaml-gpg since the project was migrated to Vox Pupuli. We're pleased to announce that this project should now work with Puppet 6 (jruby 9k puppetserver). Special thanks to seanmil for his work on this.

From this point onwards, all releases made to rubygems will have corresponding tags in the github project and a changelog will be maintained with GitHub Changelog Generator. The project will use semantic versioning.

Hiera variable doesn't properly expand on the node

Hi,

for some reason I'm not being able to understand what is missing on my setup for a variable to properly expand on the node when puppet agent runs.

Right now the variable is being looked up correctly but expands encrypted, an example:

'dbpassword' => '',
'dbpassword' => 'ENC[GPG,encrypted-password]

The variable is picked up on the relevant manifest this way: (we're running Puppet 2.7.X so still no automatic external lookup for us)

on myclass/manifests/init.pp:

$db_password = hiera(myclass::password)

Using the eyaml command line works just fine and edit, encrypt, decrypt commands do work as expected.

Please let me know if you need more debugging or it's just me missing something on the setup, thanks!

Hiera not failing on gpg key failure

I had this issue today, where I had accidentally fudged the permissions on the gnupg directory, and it wasn't readable by Puppet.

I started seeing this in the puppet master log (which was fine):

puppet-master[18583]: hiera(): [eyaml_gpg]:  No usable keys found in /var/lib/puppet/ssl/.gnupg. Check :gpgpghome value in hiera.yaml is correct

The issue is that the puppet agents used this error message as the value being returned:

notice: /Stage[main]/module/File[/tmp/file]/content: 
--- /tmp/file       2013-11-25 15:15:41.388632878 +0000
+++ /tmp/puppet-file20131126-4011-2f52vx-0  2013-11-26 00:54:47.512075470 +0000
@@ -1,2 +1,2 @@
 ADMIN_USER='username'
-ADMIN_PASS='password'
+ADMIN_PASS='hiera(): [eyaml_gpg]:  No usable keys found in /var/lib/puppet/ssl/.gnupg. Check :gpgpghome value in hiera.yaml is correct'

Do you think this the fault of hiera-eyaml-gpg or hiera-eyaml?

readme isn't right

hi there, i think the readme isn't correct.

eyaml encrypt -n gpg -s "A secret string to encrypt" --gpg-recipients [email protected]

this is what works for me.

Thanks

eyaml incorrectly errors when it cannot decrypt a key

I am using your software in an environment where multiple people are creating encrypted entries and I am not meant to be able to read their encrypted entries. I would expect that any entries that can be decrypted would be and the rest would just show up encrypted, as they are.

What actually happens is that an error is thrown.

[gpg] Fatal: Failed to decrypt ciphertext (check settings and that you are a recipient)
[hiera-eyaml-core] Decryption failed

$ gem list | grep eyaml
hiera-eyaml (2.1.0)
hiera-eyaml-gpg (0.6)

Here's a trace

[hiera-eyaml-core] /Users/gh/.rvm/gems/ruby-2.1.8/gems/gpgme-2.0.12/lib/gpgme/ctx.rb:428:in `decrypt'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-gpg-0.6/lib/hiera/backend/eyaml/encryptors/gpg.rb:183:in `decrypt'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:15:in `encrypted_value'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:80:in `create_enc_token'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:100:in `create_token'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/parser.rb:71:in `parse_scanner'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/parser.rb:36:in `parse'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/subcommands/edit.rb:74:in `execute'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/CLI.rb:46:in `execute'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/bin/eyaml:21:in `<top (required)>'
                   /Users/gh/.rvm/gems/ruby-2.1.8/bin/eyaml:23:in `load'
                   /Users/gh/.rvm/gems/ruby-2.1.8/bin/eyaml:23:in `<main>'
                   /Users/gh/.rvm/gems/ruby-2.1.8/bin/ruby_executable_hooks:15:in `eval'
                   /Users/gh/.rvm/gems/ruby-2.1.8/bin/ruby_executable_hooks:15:in `<main>'

I think this correlates to https://github.com/sihil/hiera-eyaml-gpg/blob/master/lib/hiera/backend/eyaml/encryptors/gpg.rb#L184 though I'm unsure as to how to fix this.

Cannot edit files if you don't have a private key

I'm not sure if this is classified as a bug or a missing feature, or if I'm just "doing it wrong", but ....

I am trying to have a setup where our team will all have access to the public keys, but not necessarily all people will have access to the private keys (for security reasons). And I want people who do not have a private key to still be able to "edit" eyaml files. Essentially, they should be able to add new encrypted values or alter existing ones, but not view existing ones. I know this is possible from a pure GPG point of view, but maybe eyaml doesn't support it? (I mean the base eyaml package, not eyaml-gpg)

Is this possible currently? Is it on the roadmap? (If not I can work around, but it's inconvenient) Thanks in advance

blank lines in a recipients file results in the first key in the being used to encrypt the secrets

If a blank line is in the recipients file the call to the underlying gpgme (https://github.com/ueno/ruby-gpgme/blob/535673d188da06c6cdbd80a69cc67e09387ef2ae/lib/gpgme/ctx.rb#L305) which uses a pattern patch results in the first key in the users key chain being used as a key for encryption.

I know we can check that there are no blank lines in our recipients files but for those not aware of this there should be some protection.

change :gnupghome to :gpg_gnupghome to be consistent with hiera.yaml variable?

Hi,

Can we change the code so it is a little more consistent? I was confused by the error messages in the code.

Pull request to follow:

           self.options = {
-            :gnupghome => { :desc => "Location of your GNUPGHOME directory",
-                            :type => :string,
-                            :default => "#{ENV[["HOME", "HOMEPATH"].detect { |h| ENV[h] != nil }]}/.gnupg" },
+            :gpg_gnupghome => { :desc => "Location of your GNUPGHOME directory",
+                                :type => :string,
+                                :default => "#{ENV[["HOME", "HOMEPATH"].detect { |h| ENV[h] != nil }]}/.gnupg" },

missing git tags

Could we please have git tags for the already released versions?

Support for puppetserver (jruby)

currently hiera-eyaml-gpg fails to install with puppetserver, probably because the gpgme extension is not available/compatible with JRuby.

Any plans on adding support?

Regards

Output is Garbled if contention occurs on GPG random_seed.

I've discovered today that if contention occurs on the GPG random seed, the output from the puppet provider will get garbled as it will also contain a warning from GPG.

This is because the default behaviour for Puppet::Util::Execution.execute is to failonfail and combine both stdout and stderr together to form the output.

This results in much hilarity when during high load you end up with this in the server logs.

2019-08-19T11:54:54.272Z WARN [qtp723543146-384002] [c.p.p.ShellUtils] Executed an external process which logged to STDERR: waiting for lock on /opt/puppetlabs/server/data/puppetserver/gnupg/random_seed'... waiting for lock on /opt/puppetlabs/server/data/puppetserver/gnupg/random_seed'...

Unfortunately its not only printed on the server, but the "waiting for lock warning" is also then added to the output and added to things like config files, which don't take to kindly to newlines :)

I've a patch for this, I'll tag it momentarily.

Support selecting key if more than one secret key exists

I have two GPG secret keys in my keyring.

I think the wrong one is listed first, so any 'encrypt' operations result in this:

/home/andy/.gem/ruby/1.8/gems/gpgme-2.0.2/lib/gpgme/ctx.rb:432:in `encrypt': General error (GPGME::Error::General)
    from /home/andy/.gem/ruby/1.8/gems/gpgme-2.0.2/lib/gpgme/crypto.rb:99:in `encrypt'
    from /home/andy/.gem/ruby/1.8/gems/gpgme-2.0.2/lib/gpgme/ctx.rb:67:in `new'
    from /home/andy/.gem/ruby/1.8/gems/gpgme-2.0.2/lib/gpgme/crypto.rb:90:in `encrypt'
    from /home/andy/.gem/ruby/1.8/gems/hiera-eyaml-gpg-0.2/lib/hiera/backend/eyaml/encryptors/gpg.rb:123:in `encrypt'
    from /home/andy/.gem/ruby/1.8/gems/hiera-eyaml-1.3.4/lib/hiera/backend/eyaml/actions/encrypt_action.rb:38:in `execute'
    from /home/andy/.gem/ruby/1.8/gems/hiera-eyaml-1.3.4/lib/hiera/backend/eyaml/CLI.rb:101:in `execute'
    from /home/andy/.gem/ruby/1.8/gems/hiera-eyaml-1.3.4/bin/eyaml:13
    from /home/andy/.gem/ruby/1.8/bin/eyaml:19:in `load'
    from /home/andy/.gem/ruby/1.8/bin/eyaml:19

I'm running Ruby 1.8 (for Puppet 2.7.x compatibility) on Arch Linux, with the following gems installed:

gpgme (2.0.2)
hiera (1.1.1)
hiera-eyaml (1.3.4)
hiera-eyaml-gpg (0.2)

Cannot decrypt !

Apparently a known issue opened on hiera-yaml:
voxpupuli/hiera-eyaml#206

hiera5 support

Hi gang,

I am trying to get this to work with hiera5.
From what I can tell this isn't even working at all.

Can someone confirm whether this works with hiera5?

Cannot use backend