- From: Sean OMeara <
>
- To:
- Subject: [chef] Re: Re: Distribute private ssh keys via users cookbook
- Date: Wed, 9 Jan 2013 16:10:49 -0500
This depends on your application and needs, but....
It should be worth noting that encrypted databags in this case are
just shifting the problem around.
You still have to drop a secret on the node, out of band of
chef-client, to decrypt a secret.
There are examples of generating a secret where it belongs and
exporting the public half via the node object. I know the Jenkins
cookbook on the community site does this with SSH keys. Ohai exposes
host_dsa_public and host_rsa_public attributes by default in a node
object.
Check out the PKI cookbook for a (kinda ghetto) example of how to do
this with SSL certs.
-s
On Wed, Jan 9, 2013 at 3:59 PM, Phil Mocek
<
>
wrote:
>
On Wed, Jan 09, 2013 at 05:40:25PM -0200, Cassiano Leal wrote:
>
> Is there a way to securely distribute private ssh keys through
>
> the users community cookbook?
>
>
Yes.
>
>
> I saw that the users cookbook will use "ssh_private_key" and
>
> "ssh_public_key" data bag items, but those would be unencrypted,
>
> so not secure.
>
>
That is not the case when you use [encrypted data bags][1].
>
>
>
References:
>
>
[1]: <http://docs.opscode.com/essentials_data_bags_encrypt.html>
>
>
--
>
Phil Mocek
>
http://mocek.org/
Archive powered by MHonArc 2.6.16.