[chef] Re: encrypted databag sadness

[Daniel Condomitti < >]

On Friday, July 13, 2012 at 10:48 AM, Maven User wrote:

Hi all - 

We're contemplating storing the values of some ssl keys and certificates in an encrypted databag, but I have a couple of questions:

1 - Is there a way to have "local" encrypted databags?  I was able to create an encrypted databag on our chef server, list the encrypted values and copy/pasted them into a local json file.  Using the key that will successfully decrypt the values from the databag stored on the server, I cannot decrypt the same values out of the local .json file.  Shouldn't that work?

2 - What is the standard way to get the key for decrypting databag values on a machine?  We're trying to do this in an automated fashion and haven't found a place that best suits automated bootstrapping - what are people doing?

3 - Some of the crt and key values are escape characters - is it possible to escape them without screwing up the actual values?

Thanks a million :-/

We write the databag secret to disk as part of our custom bootstrap template. It's built into the default bootstraps though (https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/centos5-gems.erb#L34-42) as long as you have the encrypted secret configured in client.rb on the machine initiating the bootstrap. As far as the certificates themselves go, what format are your certificates in? I would look into storing them in PEM format since they'd be base64 encoded and you wouldn't have to worry about escaping anything.

Dan