[chef] Re: Re: Re: Re: encrypted databag sadness


Chronological Thread 
  • From: Maven User < >
  • To:
  • Subject: [chef] Re: Re: Re: Re: encrypted databag sadness
  • Date: Mon, 16 Jul 2012 16:47:24 -0400

I see this:

As of 0.10.6, knife bootstrap supports the 'encrypted_data_bag_secret' setting in knife.rb. You will want to add this line to your knife.rb:

encrypted_data_bag_secret '/path/to/your/data_bag_key'

And change '/path/to/your/data_bag_key' to the location of where the data bag key is located. When you run knife bootstrap afterwards it automatically adds this line to the client.rb for the node you are bootstrapping and copies the key over.


But, the issue is it transfers the key as "encrypted_data_bag_secret".  Is there anyway to control the NAME of the key on the target system?


On Mon, Jul 16, 2012 at 3:32 PM, Matthew Moretti < " target="_blank"> > wrote:
Yeah, if you have a line in your workstation's knife.rb to the effect of

encrypted_data_bag_secret '/path/to/your/data_bag_key'

then the bootstrap process will upload the secret to /etc/chef/encrypted_data_bag_secret which is the default location.

http://wiki.opscode.com/display/chef/Knife+Bootstrap#KnifeBootstrap-Usingencrypteddatabags

-Matt Moretti


On Mon, Jul 16, 2012 at 3:05 PM, Maven User < " target="_blank"> > wrote:
>
> Are there any other details about this technique somewhere?
>
> And is this file only living on the place where you're launching knife from?
>
>
> On Fri, Jul 13, 2012 at 2:00 PM, Daniel Condomitti < " target="_blank"> > wrote:
>>
>> On Friday, July 13, 2012 at 10:48 AM, Maven User wrote:
>>
>> Hi all -
>>
>> We're contemplating storing the values of some ssl keys and certificates in an encrypted databag, but I have a couple of questions:
>>
>> 1 - Is there a way to have "local" encrypted databags?  I was able to create an encrypted databag on our chef server, list the encrypted values and copy/pasted them into a local json file.  Using the key that will successfully decrypt the values from the databag stored on the server, I cannot decrypt the same values out of the local .json file.  Shouldn't that work?
>> 2 - What is the standard way to get the key for decrypting databag values on a machine?  We're trying to do this in an automated fashion and haven't found a place that best suits automated bootstrapping - what are people doing?
>> 3 - Some of the crt and key values are escape characters - is it possible to escape them without screwing up the actual values?
>>
>> Thanks a million :-/
>>
>> We write the databag secret to disk as part of our custom bootstrap template. It's built into the default bootstraps though (https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/centos5-gems.erb#L34-42) as long as you have the encrypted secret configured in client.rb on the machine initiating the bootstrap. As far as the certificates themselves go, what format are your certificates in? I would look into storing them in PEM format since they'd be base64 encoded and you wouldn't have to worry about escaping anything.
>>
>> Dan
>
>




Archive powered by MHonArc 2.6.16.

§