[chef] Re: Where to keep the secret-file or secret text for data bags

[Noah Kantrowitz < >]

On Oct 14, 2014, at 7:38 AM, Adam 
<
 >
 wrote:

> Where do you prefer to store the secret-key?  Here are my problems on where 
> to
> store the key.        
> 
> 1. Storing it in chef seems kind of ridiculous because you seem to lose the
> point of security.  Having the key kept on the same box as your encrypted 
> data
> defeats the purpose unless I am missing something.  If you do store it in 
> Chef
> where do you put it in a data bag.
> 
> 2. Storing it as a file on the chef client means you would need to have a
> snapshot of that instance when you go to deploy a new server instance.
> 
> 3.  Keeping it as an attribute in your cookbook  seems like it might be the
> best choice.  Even though the key is now stored as plain text in your 
> cookbook
> and also in your Chef server.  
> 
> Advance thanks for helping me in trying to determine where I need to keep my
> key.  

If you are using encrypted data bags to any actual effect, the key must be 
managed out of band from Chef itself. The simplest option is to use knife 
bootstrap to distribute the key directly from your workstation, though this 
makes key rotation difficult. Otherwise you get effectively no benefit (aside 
from possibly encrypting data in git). Check out 
https://coderanger.net/chef-secrets/ for a summary of your options.

--Noah

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail