[chef-dev] Re: How Secure is an encrypted data bag, really?

[Bryan Taylor < >]

The question is really about encrypted vs regular data bags. I'm trying to find a scenario where someone can view an unencrypted data bag without being able to change cookbook contents. Unless there are such scenarios, I don't see any benefit to encrypting the data in a data bag.

From: Joshua Miller < "> >
Date: Friday, October 4, 2013 12:25 AM
To: Bryan Taylor < "> >
Cc: " "> Dev" < "> >
Subject: Re: [chef-dev] How Secure is an encrypted data bag, really?

Mostly you chef repo will not contain private info if you use encrypted data bags wisely.  This allows you to share it with everyone with little concern they are going to get sensitive information.

Joshua

-- 

Joshua Miller

Sent with Sparrow

On Thursday, October 3, 2013 at 10:23 PM, Bryan Taylor wrote:

If an attacker gains access to the chef server, can they not alter cookbook code that chef clients eventually run to obtain the data bag decryption keys this way?  Is there any protection against this? If not, are there still scenarios where the encryption does add value?