[chef] Encrypted data bag questions

[Brad Knowles < >]

Folks,

So, I've gone through the documentation at 
<http://docs.opscode.com/chef/essentials_data_bags.html>, 
<http://docs.opscode.com/essentials_data_bags_encrypt.html>, and 
<http://docs.opscode.com/knife_data_bag.html>, and I'm a little confused by 
the behaviour we're seeing.


From what I can tell, encrypted data bags are implemented on top of regular 
data bags, and since the goal is primarily to protect the data while it's on 
the Chef server (e.g., in case of compromise of Hosted Chef), it seems to me 
that all of the crypto should be done on the client side.

OTOH, from what I can tell, it seems that you have to actually have a Chef 
server in order to be able to interact with and use encrypted data bags, 
which precludes their use with Chef Solo.

Is that correct?  If so, can someone explain to me why that is the case?  
What is keeping Chef Solo from being able to use encrypted data bags with the 
same shared secret?


Also, any word on <http://tickets.opscode.com/browse/CHEF-4233>?  From what 
we can see, if you create the encrypted data bag on a workstation running 
knife where Chef 10.18.2 is installed, this situation doesn't seem to happen. 
 In contrast, if you use knife from a Chef 11.x box, you get the extra keys 
which bork everything.

--
Brad Knowles 
<
 >
LinkedIn Profile: <http://tinyurl.com/y8kpxu>