[chef] Re: Re: Database Secrets


Chronological Thread 
  • From: Charles Johnson < >
  • To: Noah Kantrowitz < >,
  • Subject: [chef] Re: Re: Database Secrets
  • Date: Mon, 22 Sep 2014 11:27:44 -0700

Although this is a thing:

http://onddo.github.io/chef-encrypted-attributes/

TL;DR: Symmetric encryption of node attribute values with the Chef client key. Only the key of the node that wrote the attribute can decrypt the value.

(It does a bunch more too).

--Charles


On September 22, 2014 at 10:17:00 AM, Noah Kantrowitz ( "> ) wrote:

Others have already commented with my post on this topic, but just for the record I wanted to make this clearer:

Under no circumstances store private data in node attributes. All nodes can see all other node attributes by default. Unless you want every node in your network to have effective root on your DB server, this is not viable.

</scarywords>

--Noah

On Sep 21, 2014, at 9:56 PM, DV < > wrote:

> How about letting mysql cookbook generate root password and store it in the Chef node object, then use knife-backup gem to backup node objects to secure location?
>
> On Sun, Sep 21, 2014 at 9:34 PM, Angus Buchanan < > wrote:
> What ways have people used to maintain database secrets? I'm thinking specifically of the mysql root password which is just an attribute in the mysql cookbook, and passwords for production databases?
>
> I don't want to be checking passwords into Git.
>
> What strategies have you successfully used?
>
> -aob
>
>
>
> --
> Best regards, Dmitriy V.





Archive powered by MHonArc 2.6.16.

§