[chef] Re: Re: Re: Distribute private ssh keys via users cookbook

[Cassiano Leal < >]

On Wednesday, January 9, 2013 at 19:10, Sean OMeara wrote:

This depends on your application and needs, but....

It should be worth noting that encrypted databags in this case are

just shifting the problem around.

You still have to drop a secret on the node, out of band of

chef-client, to decrypt a secret.

I understand that, but that's always the case with encrypted data bags, and I already will have to deal with it. 

There are examples of generating a secret where it belongs and

exporting the public half via the node object. I know the Jenkins

cookbook on the community site does this with SSH keys. Ohai exposes

host_dsa_public and host_rsa_public attributes by default in a node

object.

That would be great if it was feasible. The problem is that after that I would need to have the public key installed on the git repo (in this specific case, on bitbucket). That could work for a couple of nodes, but once I need to deploy to a cluster, I will have to manually add each nodes's key to the repository, and that would very quickly escalate into a problem (too much manual work, keys for nodes that have already been decommissioned still hanging around, …)

Check out the PKI cookbook for a (kinda ghetto) example of how to do

this with SSL certs.

-s

Will do.

- cassiano

On Wed, Jan 9, 2013 at 3:59 PM, Phil Mocek < "> > wrote:

On Wed, Jan 09, 2013 at 05:40:25PM -0200, Cassiano Leal wrote:

Is there a way to securely distribute private ssh keys through

the users community cookbook?

Yes.

I saw that the users cookbook will use "ssh_private_key" and

"ssh_public_key" data bag items, but those would be unencrypted,

so not secure.

That is not the case when you use [encrypted data bags][1].

References:

[1]: <http://docs.opscode.com/essentials_data_bags_encrypt.html>

--

Phil Mocek

http://mocek.org/