[chef] Backup secrets when using chef-vault.

[Vladimir Skubriev < >]

For example I used chef-vault for distribute passwords.

How I can understand:

When we creating a vault with:

    knife encrypt create databag item

chef-vault create TWO databag's:

    databag item

    and

    databag item_keys

Values from second data bag item is encrypted with client public keys 
stored on chef-server, which is allowed to decrypt values.

But I cannot what is stored in first data bag ?

If I backup created by chef vault bags via knife 
download(knife-essentials), and then

lose all private keys of nodes(admins). For example fire up building 
with nodes including admin machine's

I cannot decrypt my passwords ?

How I can understand, If I doesn't have a my admin key in knife.rb and 
my admin machine I cannot show values by command?

knife encrypt show databag item


And latest question:

What do you think about next strategy:

1. Store a secrets only in one place in plaintext. For example on 
cryptfs filesystem with a VCS system.

For example json files + script to upload this json databags to server 
with a knife encrypt create

So I can be sure that passwords and other sensitive information for 
deploy all of our infrastructure is in one place.

And for backup I can use Strong ENCRYPTED Usb flashdrives.

This is a simple solution and very good - i think? Is not it ?

--
Best regards,

CVision Lab System Administrator
Vladmir Skubriev