0

We manage some critical information in encrypted databags, e.g. the ssl certificates: databags/ssl.

We'd prefer to only give a very limited set of people access to the secret that decrypts these encrypted databags to avoid having our private keys all over the place. Only the people knife-bootstrapping and deploying servers with that, should have access.

Databags are not limited to an environment but are global. So we either have to make our recipes toggle on environments and pick different databags, or we'd need to encrypt a part of the databag: only certain entries: 

{
  "id": "some_data_bag_item",
  "production" : {
    # Hash with all your data here
  },
  "testing" : {
    # Hash with all your data here
  }
}

bag_item[node.chef_environment]["some_other_key"]

How do you manage your encrypted data-bags? Where do you keep the secret and how do you avoid having to hand out the secret to anyone working on chef?

berkes
  • 26,996
  • 27
  • 115
  • 206
  • Have you had a look at [chef-vault](https://github.com/Nordstrom/chef-vault)? – StephenKing Apr 14 '14 at 10:37
  • I have glanced over it. Is chef-vault designed as solution to this problem of storing information you don't want to share? Does it replace encrypted_databags, or does it complement it? And if so, in what way? – berkes Apr 14 '14 at 12:09
  • It replaces the use of encrypted data bags and uses the PKI of chef that exists anyway. Based on search queries (e.g. all nodes having a certain role), you can store passwords (ending up in data bag items) that are only accessible by nodes having that role. – StephenKing Apr 14 '14 at 13:37

0 Answers0