chef - [chef] Encrypted databag local management

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Encrypted databag local management

From: Morgan Blackthorne < >
To: " " < >
Subject: [chef] Encrypted databag local management
Date: Sun, 15 Dec 2013 08:23:46 -0800

So at my day job, we're making an effort to pull passwords out of the source code and CI environment and centralize them into encrypted data bags which are then translated into config files for the various scripts and services we use.

I was wondering if there is a local-only workflow for this which does not involve knife talking to a Chef server. Basically, where knife edit would provide a decryption piece for the file contents and then encrypt them when the editor is closed. I'm thinking this because I want to ensure that the JSON files are the authoritative source being pushed into the Chef server, not random knife clients talking to Chef, and also so that the users shouldn't even need to configure Knife to talk to a Chef server in the first place.

Any thoughts about how best to handle this kind of scenario? I can elaborate as needed on any unclear points.

~*~ StormeRider ~*~

"Every world needs its heroes [...] They inspire us to be better than we are. And they protect from the darkness that's just around the corner."

(from Smallville Season 6x1: "Zod")

On why I hate the phrase "that's so lame"... http://bit.ly/Ps3uSS

[chef] Encrypted databag local management, Morgan Blackthorne, 12/15/2013
- [chef] Re: Encrypted databag local management, David Crowder, 12/15/2013
- [chef] Re: Encrypted databag local management, Tony Burns, 12/16/2013