[chef-dev] Re: How Secure is an encrypted data bag, really?

[Peter Loron < >]

If your chef server is compromised, you're hosed. They could potentially gain access to any databags, as well as being able to run arbitrary code on any node that has converged since the server was compromised. Depending on what nodes are being managed on your network, this could lead to a complete compromise of your environment. 

As far as I know there is no protection against this. The server is, by definition, the authoritative source of cookbooks, databags, etc. If your chef server is compromised, you're hosed.

You may be able to mitigate this risk somewhat by keeping another "reference" copy of things elsewhere and having a script that repeatedly compares what is on the chef server against that reference.

Best bet is all of the stuff you should be doing with any sensitive asset: restricting physical and network access, rotating strong passwords, network compartmentalization, regular audits, log monitoring, etc, etc.

-Pete

On Oct 3, 2013, at 10:23 PM, Bryan Taylor < "> > wrote:

If an attacker gains access to the chef server, can they not alter cookbook code that chef clients eventually run to obtain the data bag decryption keys this way?  Is there any protection against this? If not, are there still scenarios where the encryption does add value?