[chef] Re: Encrypted data bags

[Brad Knowles < >]

On May 21, 2013, at 12:45 PM, steve . 
<
 >
 wrote:

> For that matter, there's nothing that says you _have_ to encrypt/decrypt 
> the data bag item with the key that's in the default location on the 
> chef-client.  You can distribute keys through a web service that performs 
> some other means of authentication.  You can distribute keys through your 
> favorite orchestration layer, assuming you have one.  (Or Pushy, though I 
> haven't seen it running anywhere outside of Opscodeland yet... )

True enough, but where are the standard procedures or tools documented for 
doing any of this?

> That having been said, yeah, it's still a shared key and you're still 
> compromising the data bag item if the key on disk gets compromised.  But as 
> long as you can write some Ruby code to deliver the key contents somehow to 
> the function that loads the encrypted data bag item in your recipe (or 
> library), you can solve this problem any way you like...

Sure, it's just code.  You can do anything you want with code.  You can 
re-write the entire operating system if you want -- it's just code.

A small matter of programming, that's all.


The key is that we don't want to have to invent or reinvent any wheels here.

Most of the people on this list are smarter and more advanced with Chef than 
we are, so if you've got any existing documented standard procedures or tools 
for how you do these sorts of things, we'd love to hear about it.

--
Brad Knowles 
<
 >
LinkedIn Profile: <http://tinyurl.com/y8kpxu>