[chef] Re: Question about Hosted Chef

[Noah Kantrowitz < >]

On May 26, 2015, at 9:02 PM, Jing Li 
<
 >
 wrote:

> Hi There,
> 
> We are currently hosting our own Chef Server on AWS, it's awesome! 
> 
> As our servers growing, we are looking at to move to the hosted Chef 
> solution. Since we store many credential information in our cook books such 
> as SSL certificate, passwords and etc, we would like to learn more about 
> the security mode for hosted Chef solution.
> 
> Can anyone please help us on it?

The security model is basically that there isn't one. Chef has lots of 
awesome engineers but Hosted Chef is, at heart, just a big database-powered 
web app and so has the same overall security properties as most other apps 
like that you've worked with. One of the major reasons why encrypted data 
bags were added is it gives you an "out" on the security side of things, 
Hosted Chef never gets a copy of the decryption key(s) and so within the 
bounds of AES being considered unbreakable these days you can assume that no 
possible data leakage from Hosted Chef could disclose the encrypted items. 
Beyond that you would need to be more specific about what kind of properties 
you are looking at.

--Noah

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail