Decrypted Indentation wrong

[c33s]

maybe related to:

• eyaml decrypt for hiera values with newlines is not well-formed YAML #176
• Make output of eyaml decrypt valid yaml with multiline values. #183

info:

• eyaml version: [hiera-eyaml-core] hiera-eyaml (core): 2.1.0
• running (encrypting) on windows in bash
• deploying to a vagrant centos/debian box with puppet provisioner
• yaml info (taken from https://en.wikipedia.org/wiki/YAML)
  • | -> keeps newline
  • > -> folds newline

dummy hiera keys:

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwiqutqp8mSmRfccggc8QMINrnSiCNACbfYGbcPniaH6EfUV0
QRIBRLFSvFwejpNasWHjrjxXcxNwSqhAaJiPMiSW3duRH3sijXiCKuBTuERFYZXc
YpxxOIgkobElq7iXQUXeKr83s6xKzhdgxmZuG9NxJezcmUkX2PVxE10jZIoXb+7m
s5ZU4g1dwJvkrZll0+RxXexubYPFE0V9LMDvC/HTX8GaHhfcb1lkiIzfRNHNj/kN
48RXs/F1gkpL8+aoiUkJzaVhatTk7DwfCnIGQBW3CZ+Zme5zLulmOPVYpZ5OeE3D
SJxPkxiGRhSkd3Krex6Hlt+X3gXmvG6NIP+N/QIDAQABAoIBAAaNsj/wGSyCPqrk
IbC/8Gfyx5sSVvKyYo0l5r01cfLc8lPYGEhp9yj+YzCAW3eseY8rIqgq2TjFGzEp
5KKjI5Ipsf3i/070tQHZY2tXDvxVMZJNoJajeR7TWYkrlX3qSRCm7wy6T4L8+blj
CJ0pr+W4iUUibX+u++MSxbJFnoAyKdfLLx05woC1DRcbTBULJ1jhGntejkYd/pLR
hdkH4AJTN7NW/Y9CYLjL6K9N//y2RN86zI6zWI3pRVohEiTriI7Ga8ZIojNwa9rM
gbrSy8NpadK7Rrg/6TTnsGTieuIeMl4uS0e062spg/6Emq8kjTLipogwv05eEyG2
QBsTsXECgYEA+1YFjbAhCwCzUahWL4Ye3MeZMdEcHgKcUYJ4Ex0OvwUNdxg6ARwW
kv6XyWInSOG5IrmTW6RLUcKcJ+uYIABFdJb62VE+6ScGc1UGwtfltCR1vNEnvu0Q
XyDtg0zORtanqivTQ0zLqEY4NP81a9eKYBBH7X5vU/9czKTCLFMnkUMCgYEAxcUT
mca2l9Rw/FZCj54TuENUlKyiwcHnXxpIA3VXVUUDmvEdBRKtf7Lh1vV6gFDH7y13
T+7vKA3S15xvA+jJxQoIdHR7tVz2zODFu6NxK+RmbmYrxAvtL7xnmUASuj7eDOCK
EgmuCPgNUbxjBFfHYxeHRub9Dc85XMdtNZkXz78CgYEAlHI2TX1dxtXfE7fNT7xz
tgrd3KKZbNA1656XtRJQh1pAnbrdZ5JjcuaUWAl1EoLfijb5ZgMfyWacPKfV7fC7
FSWne3uVILhAAxaRK7vAnCl8sM0IIKh8JvOX1RkkLIrT9Jp16SYOk5EF2adysgNY
Y2y6TveCYaZN9UDKvstOb2kCgYAkAo9gF6OVn7P27knuVo0mpvPWolx8RS84zNNB
9fKx7wAKDU8IZm866jpe5pGonYzaCwBHiKz5MRMr+SrpnlBm1T3W3oLL8iJqCZ9X
XBo2ML9J6MadSsKkR3zhlZ4TVXEfDR92y1ZqAaiDMnchCk6ex2D1UwfOpOW/8/v5
n2eLhwKBgAfSzHS+tKmyuPosz5pH/ke8CIy5jOdJMC5mddZvzp30O5vJ/WCsenVg
IS+UZJlbBq5bIffTqSQJqJHOWFCjSO13xgnPWl1yXhHyj0sD2J95znYk4tDDdfiz
RM3auD581P0O5DcE55noqC58Xxmk1yKtpvWs2oNnoCMT2hOxcHaj
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIC1zCCAb+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAAMB4XDTE3MDEyMjIzMzc0
M1oXDTM4MDExOTAzMTQwN1owADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMIqrraqfJkpkX3HIIHPEDCDa50ogjQAm32Bm3D54mh+hH1FdEESAUSxUrxc
Ho6TWrFh4648V3MTcEqoQGiYjzIklt3bkR97Io14girgU7hERWGV3GKccTiIJKGx
Jau4l0FF3iq/N7OsSs4XYMZmbhvTcSXs3JlJF9j1cRNdI2SKF2/u5rOWVOINXcCb
5K2ZZdPkcV3sbm2DxRNFfSzA7wvx01/Bmh4X3G9ZZIiM30TRzY/5DePEV7PxdYJK
S/PmqIlJCc2lYWrU5Ow8HwpyBkAVtwmfmZnucy7pZjj1WKWeTnhNw0icT5MYhkYU
pHdyq3seh5bfl94F5rxujSD/jf0CAwEAAaNcMFowDwYDVR0TAQH/BAUwAwEB/zAd
BgNVHQ4EFgQUOwp+1Ku07wfXPAsa4Mjqn5f1PbQwKAYDVR0jBCEwH4AUOwp+1Ku0
7wfXPAsa4Mjqn5f1PbShBKQCMACCAQEwDQYJKoZIhvcNAQEFBQADggEBAIcbQMpk
uQEMcz0G4KpG+2zCkaBbsSrVgfS69gOHVd5GfXKahEStFGHvVwDL/4elXGIhNHZG
aZzjcyTHdWd9NV2k+IulH9did4Cy4lXfowIqk4RSyfkZ13nJzI++NubmbdFNUQ0q
v9goJmCU7hqtFaPTIcw4f/54Pa3fzkOsx9wn0XKjBrggEtKgz3iGl/zAPUPgppY6
hkxpEdNctevOlDsW4xjvc5rKCo/VLOO1MINKj+ojhoSTMSxbFQDuNepuz7az1jrM
qE27NPeYEHR7Uo7lG7qxjjmuDyrJDC9SJGLwZT7EweooZAfCn5cGwpaQQOgTmaQV
Q2YF5dmFQ+6gvrU=
-----END CERTIFICATE-----

node.yaml

  dummy:
   private: |
      ---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
      Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20170123"
      P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
      1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw
      JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj
      2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr
      QEPM5xLW0unCsQ==
      ---- END SSH2 ENCRYPTED PRIVATE KEY ----

correctly leads to broken id_rsa:

---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ---- Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20170123" P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS 1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj 2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr QEPM5xLW0unCsQ== ---- END SSH2 ENCRYPTED PRIVATE KEY ----

switching to the | makes the id_rsa file valid:

---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20170123"
P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw
JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj
2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr
QEPM5xLW0unCsQ==
---- END SSH2 ENCRYPTED PRIVATE KEY ----

so this issue is not about yaml used wrong.

adding DEC::PKCS7[****]! around the key

accounts::key_sets:
  dummy:
   private: |
      DEC::PKCS7[---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
      Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20170123"
      P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
      1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw
      JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj
      2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr
      QEPM5xLW0unCsQ==
      ---- END SSH2 ENCRYPTED PRIVATE KEY ----]!

and encrypting it while using | leads to:

accounts::key_sets:
  dummy:
   private: |
      ENC[PKCS7,MIIDXQYJKoZIhvcNAQcDoIIDTjCCA0oCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKEOK+HTKHeenXICdXFlNAMnM6i5+FAvjaaM7x+5b7pIZ8PDKmsF5TeA4w/rE+PqufZZCKk8gBYXwAOma1OSKZIJhiRz6ghtaVUXTSstrReTt3z047uhnMB9B9TtLuTB8wSNNeQ+8iPuz29VmfZha63zMlZ0mpXXdCbBCpdmlY2pqLwenVp8foPUilIkVzl8GgAKjZd+uBmx0i2XE9E9xzd8YA8odmxNG5jBVkUgOqB8j34+Hwktkr2o97JkwS84GyjdSMiRVSidTcHdiHol/MspGawHv5Hhiam66oYPRscjWYyezIsfEwSPWqod9m7ZO6KRIyebvLdQTBk3SPbw9ljCCAh4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEFvNjmqMxD/z66WX+OFc2DqAggHwwYnZgPtrmkQvBErfljXcoz1CjNKJVGyRb9w4dCfRsGHfSxl7uRiiYN123T9Xy7AVpBmZg9jDa+Gc1T4TRl0fWno/XNOJgctLVmLO4NW/2Tq6/cl9yhdY3EBNkbD7GvMkWQltILTHiWVp/4zBTUxNI1qpvnzgbBQ+djuTiTw3rfgxrDb/PpKgzlrkLQf6bRWycw4BgiADIDdqOourzEjWFXXR4jhdRQ39FEmK9t0DjYH/tqLhwBmU9v7xzruRhs2WsVQQIEwjb24ANnkgmMQC2ew2pCgfJz6cfDbhnA7paI4KlYBrusgkh6fLkFJZ7/ZBvDmbfBvfksseY0wpMb8JRqNuqe8cmbDAV0ojomqMjnD0fv1uRaL3vITmwF+k8ymILh2fY9an1ZDauBpRzyaeI+VPBnoO7UOo5cYXWkUnj51zmNuILWJrlVaPN4iP/YklducPrn/WDDzjYxuDNyr8MG57t/5nLq1DK7lPnjizzrkEXj1A4XiZfHwrMB3SjWod9N4EVAuFUEKh3ryU8rIWW9dx1CVG3VAzJ1ZGGgJC5b+iWKWHEf5ulH5jbGnJHP+jFZmwJjlC1+mrhGY1/+ovCtIjZZAA4CfztZh8e4eyyasI0MR2afMR9KaFZ2oSNoO+BvZXxycKL6EspqnWcZXTKA==]

getting decrypted on the node to a broken rsa_id:

---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
      Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20170123"
      P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
      1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw
      JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj
      2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr
      QEPM5xLW0unCsQ==
      ---- END SSH2 ENCRYPTED PRIVATE KEY ----

changeing the yaml line break operator to > leads to the following encrypted file:

accounts::key_sets:
  dummy:
   private: >
      ENC[PKCS7,MIIDXQYJKoZIhvcNAQcDoIIDTjCCA0oCAQAxggEhMIIBHQIBADAFMAACAQEw
      DQYJKoZIhvcNAQEBBQAEggEAs4XRII639JgvZ+O7QJvxgheoDHDvdpFnB2JH
      NNUuk4BxWkd+GQiNfit+VIem+47GO/YKffs5+moU4jLLaqod2WWMZDpD7Rsw
      whF5F2NXG3KeFuOEusaz/IxX9blGqn37aE9C7VWQIZANnJjHaCORN1BgERub
      O5CMSjpC7aE+1OIKF3aV0VsAruc5R9RGZA46H2WodscwIvq9K1hpylZbJX34
      zKbYDIIBOlmguU87uWZndXaINN4IXFne9poM6njHHfSJ/oUpc4mYHhhK3rYJ
      D56NzoplhLYxwIU8AKHitWx82ez6w5OL1mR5C9Q+4Mmv0zopI5d4/DuMfUwC
      U7XdGDCCAh4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEJ1xJ1+hHM/qzWNB
      Xs8NkdOAggHwZoLwPjYhhlULJAUl9mZd3c1Dt5zVuLjFt/nD0Krkx/pwcLO4
      S4WEetx1PVUnB6Nwh273l4Cuz+bJblgBLrHVvJUwjyeZuUHgLIvZu9VVPx/S
      YNyvDXgZeeGR+EVbeyH7MH/0pVMSx3dxNU7EAp3MCfZ2lV+uRBcTBCvqO9uz
      PK1HjJRFVLhEqjRajiiEpSOiYoLl/T5cPInyYqAalSsNGzi4a3LyPugZUaD5
      kLWytBk+4Tf64Ayy7oQOOML16TtKgA7cQ7Dj26RM8HGwZZ/KX40RIM4JjK13
      ru+W82u1B1D+KjNoTUOHIRpm2UhQVoBngpFn4iiwm/hu4teK7zEUMg4edQ4k
      9os+WkmlefVYv+6n6/0CpQBMF1RNNMm58Wp3aHB4Iv4HzXrkAsxrtysMEk06
      M60BsHRlVDcbgpG64WVziiOdzNB7r8h1iISsFtqRGxBw/E+4g8qV0v2LWs2n
      4touC7MaGbiUQrGMJBq3nHE5iof8o6iZM1atFVcRTk6lhexo9+qo3JD/hJvf
      eNYZ4JYHlsxHnrAG2Tritqn/9+Edefnjccln5DySyU5uynwiDW2wOOV9651V
      jilmuiy6sTm3WYRIK/KEViBzVIhErSXI18U+REwXS0ZlJHXVIs1ZyWF7ixp1
      rCABfKCb3+87/A==]

which also gets decrypted on the client as:

---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
      Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20170123"
      P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
      1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw
      JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj
      2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr
      QEPM5xLW0unCsQ==
      ---- END SSH2 ENCRYPTED PRIVATE KEY ----

[c33s]

any info on this? are there other having the same problem? debug hints? this issue really breaks hiera-eyaml.

[rnelson0]

@c33s I believe that the ENC[] is capturing both the newlines and the spaces. Can you try embedding newlines characters in a single line, like this?

accounts::key_sets:
  dummy:
   private: ENC[PKCS7,MIIDXQYJKoZIhvcNAQcDoIIDTjCCA0oCAQAxggEhMIIBHQIBADAFMAACAQEw\nDQYJKoZIhvcNAQEBBQAEggEAs4XRII639JgvZ+O7QJvxgheoDHDvdpFnB2JH\nNNUuk4BxWkd+GQiNfit+VIem+47GO/YKffs5+moU4jLLaqod2WWMZDpD7Rsw\nwhF5F2NXG3KeFuOEusaz/IxX9blGqn37aE9C7VWQIZANnJjHaCORN1BgERub\nO5CMSjpC7aE+1OIKF3aV0VsAruc5R9RGZA46H2WodscwIvq9K1hpylZbJX34\nzKbYDIIBOlmguU87uWZndXaINN4IXFne9poM6njHHfSJ/oUpc4mYHhhK3rYJ\nD56NzoplhLYxwIU8AKHitWx82ez6w5OL1mR5C9Q+4Mmv0zopI5d4/DuMfUwC\nU7XdGDCCAh4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEJ1xJ1+hHM/qzWNB\nXs8NkdOAggHwZoLwPjYhhlULJAUl9mZd3c1Dt5zVuLjFt/nD0Krkx/pwcLO4\nS4WEetx1PVUnB6Nwh273l4Cuz+bJblgBLrHVvJUwjyeZuUHgLIvZu9VVPx/S\nYNyvDXgZeeGR+EVbeyH7MH/0pVMSx3dxNU7EAp3MCfZ2lV+uRBcTBCvqO9uz\nPK1HjJRFVLhEqjRajiiEpSOiYoLl/T5cPInyYqAalSsNGzi4a3LyPugZUaD5\nkLWytBk+4Tf64Ayy7oQOOML16TtKgA7cQ7Dj26RM8HGwZZ/KX40RIM4JjK13\nru+W82u1B1D+KjNoTUOHIRpm2UhQVoBngpFn4iiwm/hu4teK7zEUMg4edQ4k\n9os+WkmlefVYv+6n6/0CpQBMF1RNNMm58Wp3aHB4Iv4HzXrkAsxrtysMEk06\nM60BsHRlVDcbgpG64WVziiOdzNB7r8h1iISsFtqRGxBw/E+4g8qV0v2LWs2n\n4touC7MaGbiUQrGMJBq3nHE5iof8o6iZM1atFVcRTk6lhexo9+qo3JD/hJvf\neNYZ4JYHlsxHnrAG2Tritqn/9+Edefnjccln5DySyU5uynwiDW2wOOV9651V\njilmuiy6sTm3WYRIK/KEViBzVIhErSXI18U+REwXS0ZlJHXVIs1ZyWF7ixp1\nrCABfKCb3+87/A==]

I don't think the alternative, chopping out the indents, will work because it may affect the YAML parsing, but you can try that, too.

[derkgort]

@c33s I've been struggling with this too.
My solution for now is this:

regsubst(lookup("one::two", String), '\s\s+', "\n", 'G')

Not pretty..

[cyberious]

Not sure if relevant but we use hiera-eyaml-gpg and do this all day long and we never have the | before the value, we take it in place using DEC::GPG[.....]! right inline and bam works just fine, are you adding the pipe as a pretty print option?

[rledousa]

+1 breaks storing SSL keys and certs. Using derkgort's workaround

[c33s]

@derkgort thank you. your "not pretty" workaround works nicely.

@rnelson0 how should this work? adding newlines to an already encrypted string sounds not really helpful. or did you mean to add it to DEC[xxxxxxxx]!? even if this would work, it is really not a solution. generating an key and then having to convert it to a single line with self-added newlines is more than cumbersome. automate on one hand and adding manual steps on the otherhand :)

hoped that the migration to voxpupuli would lead to a fix for this. if i would be a ruby coder, i would fix it my self but sadly i am not.

[kBite]

As a workaround directly in Hiera I came up with the following solution. Notice the whitespaces after opening [. The line must be indented 6 whitespaces. eyaml always prepends 2 whitespaces. I don't know why, I haven't looked into the code, but works for me.

eyaml edit ssh_key.eyaml

---
accounts::key_sets:
  dummy:
    private: >
    DEC::PKCS7[    ---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
    Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20170123"
    P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
    1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw
    JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj
    2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr
    QEPM5xLW0unCsQ==
    ---- END SSH2 ENCRYPTED PRIVATE KEY ----]!

... which results in encrypted ...

---
accounts::key_sets:
  dummy:
    private: >
    ENC[PKCS7,MIIDTQYJKoZIhvcNAQcDoIIDPjCCAzoCAQAxggEhMIIBHQIBADAFMAACAQEw
    DQYJKoZIhvcNAQEBBQAEggEAXH7xB1xuzoMAqA/3jSXO0ZUR6+UCb3DsTTj3
    Lsrcx5oQBnJ/ml7GfBCPxBKfArZunLcnxmSk4hECKXdfgKsVjAa++JQWvtEm
    HUNTFqvwd76Ku+nMfI9c8g+X+l6obLjzWfJdg3t6Ja7CJKl8UNFtSmbfYKVi
    nZ0xBubgdY4plLAFcZyD5/A/lNFqwb051TRLbZOIRRfLUlRL7RNkKRC59Aog
    S5aJXjmqx6vRzFifNK0JFZvYHGD75TiHJ5LFjg4rjgFd43AnK8iNo773ZWP2
    48Gly5Zx7qVQDCDDi1YBgNFb0NIBQw+kWy7HcPH2REvPnXu/HV2FWvDP3Ond
    yr2EbTCCAg4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEH+CjZJ1gKfaQIrr
    N5zef7OAggHgBmRVsfaoiNEOzhmHZ5SxxZztmpBNtLv7mteaSqSL5o0TtKQh
    SDgxBhaQmlL51+JM1Jsnvqm57ikZhj7Vtek/vr5DhYhWs0AxttH5rNaw0zKU
    4bMppVu+SNKCtT+2Qw31x/S7gF7yVl+mwmXhq3qAj9ExWRX3d/8/zTuC61Io
    f+7O6YUOucZ/m/YPrQnC5v7bDSKlIf1aFaKqukjM3QO8FZlAOHGPvRuWV2Om
    QIgxQE6F8r+bTkW3KiVIx5FEIthRZ90VS3tz/2wjj77svddBhlid9ov/0ard
    GGVNGsl1BFpLqxC0mpZXz237cL/aM58naqmX52J6YmC0xQM3DNmahWlYx1HV
    J/Ogk12pOYPLJB/09OuoHPzKC4WfpB9B7wAC6pghRkO/84cOw6rgSdbzze5W
    WMPvo181Y74BSBKhJDdO3lWYmEcDyx4TEsMUlpxd9PBDcOHqf9qHviXrwGzO
    oSm2bUV0Fum5ueU+D2vu3mO0yIQ6fwyvDZLBRjfJV7K/PyDz81feWT6+g38t
    AC27c0h8wk9b7HYfqG28nZE7F13qrhwCKnOaYLglsmbszNpRrBhfo1IHF6oM
    YZRZrnrGQg5qQcxMsLq37RAfRgkY0rRLs78EEAhkf4NDxw0A/ovt]

EDIT: you have to re-add two whitespaces in the encrypted file to make it valid YAML again

accounts::key_sets:
  dummy:
    private: >
      ENC[PKCS7,MIIDTQYJKoZIhvcNAQcDoIIDPjCCAzoCAQAxggEhMIIBHQIBADAFMAACAQEw
      DQYJKoZIhvcNAQEBBQAEggEAXH7xB1xuzoMAqA/3jSXO0ZUR6+UCb3DsTTj3
      Lsrcx5oQBnJ/ml7GfBCPxBKfArZunLcnxmSk4hECKXdfgKsVjAa++JQWvtEm
      HUNTFqvwd76Ku+nMfI9c8g+X+l6obLjzWfJdg3t6Ja7CJKl8UNFtSmbfYKVi
      nZ0xBubgdY4plLAFcZyD5/A/lNFqwb051TRLbZOIRRfLUlRL7RNkKRC59Aog
      S5aJXjmqx6vRzFifNK0JFZvYHGD75TiHJ5LFjg4rjgFd43AnK8iNo773ZWP2
      48Gly5Zx7qVQDCDDi1YBgNFb0NIBQw+kWy7HcPH2REvPnXu/HV2FWvDP3Ond
      yr2EbTCCAg4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEH+CjZJ1gKfaQIrr
      N5zef7OAggHgBmRVsfaoiNEOzhmHZ5SxxZztmpBNtLv7mteaSqSL5o0TtKQh
      SDgxBhaQmlL51+JM1Jsnvqm57ikZhj7Vtek/vr5DhYhWs0AxttH5rNaw0zKU
      4bMppVu+SNKCtT+2Qw31x/S7gF7yVl+mwmXhq3qAj9ExWRX3d/8/zTuC61Io
      f+7O6YUOucZ/m/YPrQnC5v7bDSKlIf1aFaKqukjM3QO8FZlAOHGPvRuWV2Om
      QIgxQE6F8r+bTkW3KiVIx5FEIthRZ90VS3tz/2wjj77svddBhlid9ov/0ard
      GGVNGsl1BFpLqxC0mpZXz237cL/aM58naqmX52J6YmC0xQM3DNmahWlYx1HV
      J/Ogk12pOYPLJB/09OuoHPzKC4WfpB9B7wAC6pghRkO/84cOw6rgSdbzze5W
      WMPvo181Y74BSBKhJDdO3lWYmEcDyx4TEsMUlpxd9PBDcOHqf9qHviXrwGzO
      oSm2bUV0Fum5ueU+D2vu3mO0yIQ6fwyvDZLBRjfJV7K/PyDz81feWT6+g38t
      AC27c0h8wk9b7HYfqG28nZE7F13qrhwCKnOaYLglsmbszNpRrBhfo1IHF6oM
      YZRZrnrGQg5qQcxMsLq37RAfRgkY0rRLs78EEAhkf4NDxw0A/ovt]

For some reason eyaml does not care about indentation of the encrypted block, but restores whatever it was before encryption.
/EDIT.

... which is decrypted to ...

---
accounts::key_sets:
  dummy:
    private: |
      ---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
      Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20170123"
      P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
      1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw
      JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj
      2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr
      QEPM5xLW0unCsQ==
      ---- END SSH2 ENCRYPTED PRIVATE KEY ----

[igalic]

can we close this now?

[c33s]

@igalic would be great if this can be fixed and not call the workaround as a fix.

[igalic]

i misunderstood then

[dploeger]

It's interesting that hiera doesn't seem to care about this. I just noticed it while trying to convert the decrypted files to json and saw that they're invalid. We're also deploying private keys with this and Hiera never had a problem with the invalid yamls.

So yeah, please fix encrypting multiline strings.