Secrets storage is a really nuanced issue.
Noah's blog post on this issue is worth reading,
https://coderanger.net/2014/02/data-bags/
See section: What about encrypted data bags?
If you are an AWS user, please do consider using IAM (with MFA), S3 and
Instance Profile and build from there.
Following pointers should help. I strongly recommend reading it.
- Chapters 19, 20, 21 of
http://www.amazon.com/Secrets-Lies-Digital-Security-Networked/dp/0471453803
- Part IV and Chapter 23 of
http://www.amazon.com/Cryptography-Engineering-Principles-Practical-Applications/dp/0470474246/
Best,
Rajiv
On Wed, Jun 11, 2014 at 12:51 PM, Michael Fischer < "> >
wrote:
> Is the analysis you're asking for limited to a crypto review of the
> encrypted data bags feature as it currently exists, or are you asking our
> opinion of secrets storage in general?
>
> --Michael
>
>
> On Wed, Jun 11, 2014 at 12:36 PM, Bryan McLellan < "> >
> wrote:
>>
>> Given the frequency of small bugs in being found in crypto
>> implementations in open source projects recently, it would be great
>> to get some detailed review of the encrypted data bag feature. We
>> sort of built the crypto bits ourselves, albeit on top of OpenSSL.
>> Anyone up for that?
>>
>> Xabier has been working on a version 3 of encrypted data
>> bags, please take a look if you're into this sort of thing.
>> https://github.com/opscode/chef/pull/1474
>>
>> --
>> Bryan McLellan | chef | software engineer
>> (c) 206.607.7108 | (t) @btmspox | (www) http://getchef.com
>
>
Archive powered by MHonArc 2.6.16.