chef - [chef] Re: Encrypted Data Bags - Preemptive Key Retrieval

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Encrypted Data Bags - Preemptive Key Retrieval

From: Noah Kantrowitz < >
To:
Subject: [chef] Re: Encrypted Data Bags - Preemptive Key Retrieval
Date: Fri, 23 Jan 2015 12:24:23 -0800

On Jan 23, 2015, at 12:19 PM, FusionX86
< >
wrote:

> Hello,
>
> I’m using encrypted data bags in one of my cookbooks. I have the secret key
> stored in another secure network location that nodes can access as needed.
> I’d like to have the recipe retrieve the secret key, use it, and then
> delete the key on the node when finished. I’m having trouble getting those
> steps to happen in the proper order and while I understand why, I haven’t
> been able to find a satisfactory solution. The point is to avoid letting
> the key sit unused on the node.

If you have a way to safely store and distribute the decryption key, why not
just store the passwords in that too?

Your actual issue is that Chef is a two-pass system, first all recipes are
compiled to resources, and then all resources are converged. That means that
the code outside of resources happens before any resources execute. You'll
want to switch the retrieval code to be in Ruby, and probably use a handler
to do the delete just in case the run fails part way through.

--Noah

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

[chef] Encrypted Data Bags - Preemptive Key Retrieval, FusionX86, 01/23/2015
- [chef] Re: Encrypted Data Bags - Preemptive Key Retrieval, Noah Kantrowitz, 01/23/2015