Configure the password algorithm

Puppet Enterprise (PE) uses SHA-256 as a default password algorithm. You can use Hiera or the PE console to change the algorithm to argon2id by editing or adding password algorithm parameters.

Before you begin: Before changing your password algorithm to argon2id, review the Argon2 specifications on password-hashing.net.

If you have FIPS 140-2 enabled PE, use the default SHA-256 algorithm, because Argon2id isn’t available for FIPS-enabled systems.

puppet_enterprise::profile::console::password_algorithm

A string, either "SHA-256" or "ARGON2ID".

Always required.

Default: "SHA-256"

puppet_enterprise::profile::console::password_hash_output_size

An integer representing the desired hash output size in bytes.

Required for argon2id.

Default: 128 bytes

puppet_enterprise::profile::console::password_algorithm_parallelism

An integer representing the number of parallel computations that can be performed at once.

Required for argon2id.

Default: Twice the number of cores in your system.

puppet_enterprise::profile::console::password_algorithm_memory_in_kb

An integer representing the amount of memory, in KB, the algorithm consumes when running.

Required for argon2id.

No default value. We recommend initially setting this to 25% of your CPU memory.

puppet_enterprise::profile::console::number_of_iterations

An integer representing the number of times a password is hashed before it’s stored.

Always required, and we recommend updating this value when switching from SHA-256 to argon2id. The minimum recommended value for argon2id is 3 iterations.

Default: 500000 iterations.

puppet_enterprise::profile::console::password_salt_size_bytes

An integer representing the size, in bytes, of each generated salt.

Default: 128 bytes

Configure the password algorithm

Related information