General discussion about Chef

[chef] Re: Re: Re: Re: Encrypted Databags are a Code Smell


Chronological Thread 
  • From: Sam Pointer < >
  • To:
  • Subject: [chef] Re: Re: Re: Re: Encrypted Databags are a Code Smell
  • Date: Tue, 17 Sep 2013 12:41:46 +0100
Encrypted data bags were never intended to do anything else.  Anyone who uses them for anything else is just setting themselves up for future pain and problems.  Anyone who recommends that anyone use them for anything else is being foolish and reckless.

Encrypted databags provide protection against two kinds of access:

I also disagree, especially with your assertion of what and "how many" things EDB is protecting against.

I've certainly been in the situation of sharing a common Chef code-base amongst many groups where secrets needed to be siloed amongst consumers, and kept from the administrators of the source control system too. We shouldn't assume there is one operations group that is the keeper of all of the keys, because in most large organisations that isn't the case.

Sam Pointer
Lead Consultant


On 16 September 2013 22:31, Ranjib Dey < " target="_blank"> > wrote:
no not really.  % of raw ruby code inside a recipe but outside resources is a smell, irrespective of context. less you have better it is. we have several such smells (another would be  searching 'recipes:foo'). what i meant is this is not bad, in fact it can be a blessing at times.

remember if you take the encrypted data bag route, you would be able to run chef zero as it is (and now chef-zero integration is in master), which does not support client certs.


On Mon, Sep 16, 2013 at 2:02 PM, Mike < " target="_blank"> > wrote:
> So yes, they can be smell, but it depends,  
This statement can apply to pretty much anything, ever.

If your use case doesn't map to the tool you're using, that's fine. Find something that works for you. 
Nobody is here telling you that you must use one thing or another - rather most people here are sharing "what works for me" approaches, thus delivering some of the best ideas that get discussed openly, and better ideas come from them, sometimes.

Definitely a summit topic to discuss. And don't talk about my feet smelling, either.

-M


On Mon, Sep 16, 2013 at 4:53 PM, Ranjib Dey < " target="_blank"> > wrote:
i dont think encrypted data bag in itself is a code smell. Depending upon the context they may be. The fact that we need to store secrets in raw text files is smell (in one extreme). Tools (like s3cmd, knife , aws command line tools etc) that expect un encrypted secrets can be run against ephemeral configuration files. But thats another extreme. Between them there are myriad of options, encrypted data bag is one of them. if you plan to take snapshot of your entire chef infra, you'll need to backup and store the databags too, and if they hold secrets its better to store them encrypted in the restore/backup tapes. Albeit chef-valult is a better option, but it requires more house keeping. You'll be storing multiple encrypted copies of same data, each corresponding to one client. these things comes with great deal of network traffic cost as well.
So yes, they can be smell, but it depends, 


On Mon, Sep 16, 2013 at 11:54 AM, Booker Bense < " target="_blank"> > wrote:
I'm finally catching up with my backlog of Food Fight episodes and the one on secrets got me thinking a bit and I wrote up my thoughts here. 


The more I think about it, the more I think encrypted data bags aren't the solution. 

- Booker C. Bense





Archive powered by MHonArc 2.6.16.

§