Using hiera-eyaml in Visual Studio Code

I’ve been working with Hiera’s awesome eyaml backend to encrypt secrets, certificates, and keys within Puppet. This provides the advantage of masking sensitive strings within a control repository. In my scenario, I am using GitHub to host Puppet’s control repository. hiera-eyaml provides a way to prevent the exposure of passwords and private keys in plaintext within both the remote repository and when the repository is cloned to a local filesystem.

I’m also an avid user of Visual Studio Code. If you haven’t checked it out, I highly recommend it. One of the many benefits of this editor is the ability to apply extensions. As it turns out, there’s an extension available in the Marketplace for hiera-eyaml that allows for encryption and decryption of data directly within the editor.


Before you install hiera-eyaml, make sure you have the following:

  • Visual Studio Code (preferably the latest version)
  • Ruby with eyaml
  • The PKCS7 public key, for encrypting data
  • The PKCS7 private key, for decrypting data

The easiest way to get everything you need is to install a local copy of the Puppet agent. In this example, I’m using Windows 10 x64 with the Puppet Agent version 5.5.16. The Puppet agent places a local ruby environment complete with the eyaml binaries in C:\Program Files\Puppet Labs\Puppet\sys\ruby\bin.


Begin by noting where the private and public key are stored. In this example, I’m storing the keys in C:\Users\jimmy\.puppetlabs\keys.

Install the hiera-eyaml extension from the Visual Studio Code Marketplace.

Lastly, the Visual Studio Code settings will need to be changed based on your environment. Open the settings.json by navigating to File, Preferences, Settings. Find the hiera-eyaml extension and then click Edit in settings.json.

Update the settings.json to include the necessary extension settings for hiera-eyaml. According to the documentation, there are five settings that can be applied:

  • eyamlPath: Path to the eyaml command line utility.
  • publicKeyPath: Path to the public key to use for encryption and decryption.
  • privateKeyPath: Path to private key to use for decryption.
  • outputFormat: Formatting to use for encrypted value (String or Block).
  • outputBlockSize: Specifies the length of each line when using Block output format.

In this example, I’ve applied three of the settings.

"hiera-eyaml": {
  "eyamlPath": "C:\\Program^ Files\\Puppet^ Labs\\Puppet\\sys\\ruby\\bin\\eyaml.bat",
  "publicKeyPath": "C:\\Users\\jimmy\\.puppetlabs\\keys\\public_key.pkcs7.pem",
  "privateKeyPath": "C:\\Users\\jimmy\\.puppetlabs\\keys\\private_key.pkcs7.pem"

Save the settings.json and you should be ready to encrypt and decrypt data. Test encryption by right-clicking a string and selecting Encrypt selection with eyaml. Test decryption by right-clicking the same string and selecting Decrypt selection with eyaml.


I troubleshot this extension by looking the the Output console. The most common issues are incorrectly specified paths in the settings.json.


Jimmy McNatt
Jimmy McNatt
Articles: 38