[chef] Backup secrets when using chef-vault.


Chronological Thread 
  • From: Vladimir Skubriev < >
  • To:
  • Subject: [chef] Backup secrets when using chef-vault.
  • Date: Fri, 06 Dec 2013 16:53:15 +0400

For example I used chef-vault for distribute passwords.

How I can understand:

When we creating a vault with:

    knife encrypt create databag item

chef-vault create TWO databag's:

    databag item

    and

    databag item_keys

Values from second data bag item is encrypted with client public keys stored on chef-server, which is allowed to decrypt values.

But I cannot what is stored in first data bag ?

If I backup created by chef vault bags via knife download(knife-essentials), and then

lose all private keys of nodes(admins). For example fire up building with nodes including admin machine's

I cannot decrypt my passwords ?

How I can understand, If I doesn't have a my admin key in knife.rb and my admin machine I cannot show values by command?

knife encrypt show databag item


And latest question:

What do you think about next strategy:

1. Store a secrets only in one place in plaintext. For example on cryptfs filesystem with a VCS system.

For example json files + script to upload this json databags to server with a knife encrypt create

So I can be sure that passwords and other sensitive information for deploy all of our infrastructure is in one place.

And for backup I can use Strong ENCRYPTED Usb flashdrives.

This is a simple solution and very good - i think? Is not it ?

--
Best regards,

CVision Lab System Administrator
Vladmir Skubriev



  • [chef] Backup secrets when using chef-vault., Vladimir Skubriev, 12/06/2013

Archive powered by MHonArc 2.6.16.

§