chef - [chef] RE: Re: RE: Re: Using encrypted data bags in cookbooks?

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] RE: Re: RE: Re: Using encrypted data bags in cookbooks?

From: "Fouts, Chris" < >
To: " " < >
Subject: [chef] RE: Re: RE: Re: Using encrypted data bags in cookbooks?
Date: Wed, 21 Jan 2015 21:26:59 +0000
Accept-language: en-US

Thanks, but I was under the impression that the bootstrap (even the default template) will do this for me, using the same process it does to copy the validator.pem locally to the node. I see this in the chef-full.erb file

<% if encrypted_data_bag_secret -%>

cat > /etc/chef/encrypted_data_bag_secret <<'EOP'

<%= encrypted_data_bag_secret %>

EOP

chmod 0600 /etc/chef/encrypted_data_bag_secret

<% end -%>

Chris

From: Tiago Cruz [mailto:
Sent: Wednesday, January 21, 2015 3:27 PM
To:
Subject: [chef] Re: RE: Re: Using encrypted data bags in cookbooks?

You need to scp the file to your node at /etc/chef/encrypted_data_bag_secret

On Wed, Jan 21, 2015 at 6:09 PM, Fouts, Chris < " target="_blank"> > wrote:

I have this in my knife.rb file

…….

validation_key "#{current_dir}/validator.pem"

encrypted_data_bag_secret “#{current_dir}/encrypted_data_bag_secret”

…….

The knife.rb, validator.pem, and encrypted_data_bag_secret files are in <some_path>/.chef directory.

Chris

From: Daniel Condomitti [mailto: " target="_blank"> ]
Sent: Wednesday, January 21, 2015 2:45 PM
To: " target="_blank">
Subject: [chef] Re: Using encrypted data bags in cookbooks?

Are you using a custom bootstrap template? Check your template to ensure that your template includes the encrypted_data_bag_secret logic https://github.com/opscode/chef/blob/master/lib/chef/knife/bootstrap/chef-full.erb#L46

Is the correct path being used in your knife config?

On Wednesday, January 21, 2015 at 2:38 PM, Fouts, Chris wrote:

Client: v12.0.3

Server: Chef 12 Enterprise

I’m encrypting my data bags, but now of course would want to use them when I run my cookbooks in my nodes. This means that I’ll need to decrypt my data bag, which in turn means I’ll need the key. One solution I’ve been reading is to copy the key file in the node’s /etc/chef/* directory during the bootstrap process. I read this http://lists.opscode.com/sympa/arc/chef/2013-04/msg00142.html, which shows adding this line in the knife.rb file

encrypted_data_bag_secret "#{home_dir}/.chef/encrypted_data_bag_secret"

…which will then automagically copy the file over to the node. However, I don’t see /etc/chef/encrypted_data_bag file in the boostrapped node.

What am I missing?

Chris

-- Tiago Cruz

[chef] Using encrypted data bags in cookbooks?, Fouts, Chris, 01/21/2015
- [chef] Re: Using encrypted data bags in cookbooks?, Daniel Condomitti, 01/21/2015
  - [chef] RE: Re: Using encrypted data bags in cookbooks?, Fouts, Chris, 01/21/2015
  - [chef] RE: Re: Using encrypted data bags in cookbooks?, Fouts, Chris, 01/21/2015
    - [chef] Re: RE: Re: Using encrypted data bags in cookbooks?, Tiago Cruz, 01/21/2015
      - [chef] RE: Re: RE: Re: Using encrypted data bags in cookbooks?, Fouts, Chris, 01/21/2015
        
        [chef] Re: RE: Re: RE: Re: Using encrypted data bags in cookbooks?, AJ Christensen, 01/21/2015
        
        [chef] RE: Re: RE: Re: RE: Re: Using encrypted data bags in cookbooks?, Fouts, Chris, 01/22/2015
        
        [chef] Re: RE: Re: RE: Re: RE: Re: Using encrypted data bags in cookbooks?, Fabien Delpierre, 01/22/2015
        [chef] RE: Re: RE: Re: RE: Re: RE: Re: Using encrypted data bags in cookbooks?, Fouts, Chris, 01/22/2015