rnelson0
commented
7 years ago @diranged do the changes in #239 address your request? Please feel free to test it and let us know how it improves your performance.
Open diranged opened 7 years ago
rnelson0
commented
7 years ago @diranged do the changes in #239 address your request? Please feel free to test it and let us know how it improves your performance.
We're happily using Hiera-Eyaml and https://github.com/adenot/hiera-eyaml-kms to decrypt blobs on the fly on our puppet servers.. so thanks! The issue we're starting to run into though is that as we add more secrets, decryption takes long and longer. We have 500-600 hosts at any given time, and we regularly spin up 50-100 hosts in short spans. As we and more and more secrets to our codebase, we are seeing compilation times start to hit 55-60s.
While there are arguments around security here.. I think it would be useful for the Hiera-Eyaml backend to optionally cache (in memory) the secrets it has decrypted. For people where in-memory attacks on the secrets aren't a big issue, this should significantly reduce the amount of CPU and time wasted in repeatedly decrypting the same things over and over.
Thoughts?
(In thinking about the implementation, I am wondering whether it would be simpler to do this in the underlying decryption/encryption backend.)