Doug,While the file itself won’t be encrypted, it’s contents will be, so it IS safe to version the file in Git (we do in a repo that covers our data bags, environments, & roles).
On November 17, 2014 at 12:36:03 AM, Douglas Garstang ( " target="_blank"> ) wrote:
Oh. Thanks for that. And, that's... terrible. :( The point is not to have the unencrypted file in git.Doug.
On Sun, Nov 16, 2014 at 6:48 PM, Fabien Delpierre < " target="_blank"> > wrote:
RE: data bags being encrypted on the Chef server and not on your local system, that's correct.If you find it a problem that what's in your local file system is not encrypted, then what you can do is upload your JSON file with the secret (as seen in your other thread I just replied to), then delete the file from your local file system, and if you want the encrypted file locally, then just download it from the Chef server, it'll be encrypted then.
I should say that data bags themselves are not encrypted. There's no difference between a data bag and an encrypted data bag. It's the items within the data bag that are (or aren't) encrypted. Even though they're called "encrypted data bag".
On Sun, Nov 16, 2014 at 9:11 PM, Douglas Garstang < " target="_blank"> > wrote:
Is there a known public cookbook for creating AWS security groups? I don't know about the security implications, but I'd like to try having the recipes creating the necessary security groups. Otherwise, it's a major hassle to put them into a script. AFAIK chef-metal/provisioner doesn't do security groups yet.This one https://github.com/SearchSpring/aws_security, wants to use encrypted data bags and, well, that's a pain. I'd prefer to use IAM roles were possible. I'd never noticed before, but it looks like encrypted data bags are only encrypted on the Chef server, not on the local file system? If so, what's the point?
Doug
--
Regards,
Douglas Garstang
http://www.linkedin.com/in/garstang
Email: " target="_blank">
Cell: +1-805-340-5627
Archive powered by MHonArc 2.6.16.