chef - [chef] Re: Re: Re: Handling of encrypted data bag keys

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: Re: Handling of encrypted data bag keys

From: "Moser, Kevin" < >
To: " " < >
Subject: [chef] Re: Re: Re: Handling of encrypted data bag keys
Date: Thu, 11 Apr 2013 17:05:57 +0000
Accept-language: en-US

We are asking a very similar question ourselves.  We are using encrypted data
bags to store passwords and certificates.  We ended up writing what we are
calling chef-vault (distributed as a ruby gem, source at
github.com/moserke/chef-vault).  It uses the chef client key to encrypt the
shared secret for the host that needs to decrypt it.  That host can now use
it's private key to decrypt the shared secret to then go to the real data bag
and decrypt the password.

This does have minor chicken and egg issue for a boot strap, as you need the
client to run with the validator to get it's pem so that you can use the
knife plugins in the gem.  For us this works ok because we converge the box
into the base role first (which doesn't need the encrypted values) do the
encryption for that host and then put the host into the application role that
needs the encrypted value.

This approach takes the need out of the client ever needing to "store" or
have local the secret as it's all stored in data bags and protected by the
clients private key.

Kevin

From: Thom May
< <mailto: >>
Reply-To:
" <mailto: >"

< <mailto: >>
Date: Thursday, April 11, 2013 5:13 AM
To:
" <mailto: >"

< <mailto: >>
Subject: [chef] Re: Re: Handling of encrypted data bag keys

thanks, but that's not really the problem I want to solve.

On Thu, Apr 11, 2013 at 12:49 PM, Sachin Sagar Rai
< <mailto: >>
wrote:
You can put the following line in knife.rb file

encrypted_data_bag_secret "#{home_dir}/.chef/encrypted_data_bag_secret"

Now, whenever you bootstrap the node on ec2, it will be copied over the node
automatically.

-------------------------------------------
@millisami
~ Sachin Sagar Rai
Ruby on Rails Developer
http://tfm.com.np
http://nepalonrails.com<http://nepalonrails.tumblr.com>
http://funsole.com
Sent with Sparrow<http://www.sparrowmailapp.com/?sig>

On Thursday, April 11, 2013 at 4:45 PM, Thom May wrote:

Hey,
how are people handling the distribution of encryption keys for data bags? It
seems unfortunate to have to copy out the encryption key at bootstrap time,
but having it as a cookbook file is daft.
So then I was thinking I'd have the key on a private s3 bucket, which could
then be accessed with signed urls.
But then I thought, if we're doing that, why bother putting the file on disk
at all? Just download the contents at the start of the chef run, use it for
the duration, and let the key go away when the chef process dies.
Am I missing something?
-T

[chef] Handling of encrypted data bag keys, Thom May, 04/11/2013
- [chef] Re: Handling of encrypted data bag keys, Sachin Sagar Rai, 04/11/2013
  - [chef] Re: Re: Handling of encrypted data bag keys, Thom May, 04/11/2013
    - [chef] Re: Re: Re: Handling of encrypted data bag keys, Moser, Kevin, 04/11/2013