[chef] Re: Encrypted data bags

[Brad Knowles < >]

On May 20, 2013, at 3:09 PM, 

 
 wrote:

> I have a few questions about using encrypted things in Chef.
> 
> 1)What is the best practice to distribute encrypted_data_bag_secret to 
> servers?

The short answer is that these things do NOT work like you think they do.

Keep in mind that the only purpose of encrypted data bags is to keep the 
contents encrypted while it remains on the Chef server.  This was meant 
primarily for use with Hosted Chef, so that people could feel comfortable 
that their secrets were not exposed if Opscode should happen to have a 
security problem and the contents of these data bags were somehow leaked.

The contents have to be unencrypted on the Chef Workstation, so that you can 
encrypt them with the shared key, and then upload the encrypted data bag to 
the Chef Server.

The contents have to be unencrypted on the nodes, because otherwise it would 
be impossible to access the information stored in them.  And since a shared 
key is used, once a single node is compromised, then all data bags that were 
encrypted with that same shared key are now vulnerable across your entire 
infrastructure.


I repeat, the short answer is that these things do NOT work like you think 
they do.

> 2)What to do with bootstrapped servers? Does everyone put it in advance?

Yup.  It's a shared secret file.  It has to be copied over from the Chef 
Workstation to the nodes at bootstrap time.

--
Brad Knowles 
<
 >
LinkedIn Profile: <http://tinyurl.com/y8kpxu>