- From: Seth Falcon <
>
- To:
- Subject: [chef] Re: Re: Re: Re: Re: Re: Re: Re: Encrypted Databags are a Code Smell
- Date: Wed, 18 Sep 2013 11:36:52 -0700
writes:
>
If I'm reading the documentation correctly, Chef Vault is using public
>
keys to manage access to a shared secret for an EDB.
Yes, that's correct.
>
But why use an EDB at all? Why not just encrypt the item with the
>
scheme you are using to encrypt the access to the item?
The size of a message that can be encrypted with RSA is limited by the
key size. So to make a general solution and to follow how (as far as I
know) RSA is generally used, you use a symmetric cipher for the message
and RSA to encrypt the key for the symmetric cipher. Hence chef vault
using EDBs.
>
Here's a simple example:
>
>
If I do not rotate keys after every ACL change, then I have only made ACL
>
changes for those clients that play nice. Bad clients
>
that stash the secret can still access the data items.
Absolutely something to understand and pay attention to.
+ seth
--
Seth Falcon | Development Lead | Opscode | @sfalcon
Attachment:
pgpmd9r8M6kkM.pgp
Description: PGP signature
- [chef] Re: Re: Encrypted Databags are a Code Smell, (continued)
Archive powered by MHonArc 2.6.16.