There are situations when you want to store secrets like passwords, tokens
or usernames in Hiera. The default way to do this is to use Hieras e(ncrypted)YAML
implementation based on PKCS7.

Pros and cons of the two EYAML mechanisms

eYAML

eYAML uses a public/private keypair. The public key goes out to all users. They are able to encrypt content; then, the private key is stored somewhere
safe and on the Puppetservers. This key is the only way to decrypt content.