As an administrator managing sensitive data with Puppet,
I would like to flag resources that contain sensitive data,
so that PuppetDB can remove or redact this data before storing it.
A puppet-based configuration management system sometimes handles sensitive data such as encryption keys or passwords. This data can be stored in an encrypted form prior to an agent run by using tools such as hiera-eyaml. PuppetDB could provide similar tools for secured storage of the outputs of a Puppet run: the catalog and report.