I have a Windows server running Chef Client in local mode. I would like to use encrypted data bags for users and passwords, but this becomes an issue since the secret key will need to be stored locally. What are my best options for enabling encrypted data bags and also having a secure secret key?
Asked
Active
Viewed 1,076 times
1 Answers
1
This isn't what encrypted data bags do. The purpose of that feature is to prevent disclosing the contents to the Chef Server. From the PoV of the client, it is in the clear because it has to have the decryption key. If you have only a single node, there isn't much value in the encryption for Chef. It might still be useful if you are storing that data in a git repo or similar, but in those cases you are probably better off with another solution. Check out https://coderanger.net/chef-secrets/ for a summary of the options.
coderanger
- 52,400
- 4
- 52
- 75
-
So I guess I understand all this, my question was more around, how should I encrypt my data locally, to be used with Chef, when it is only on a single node? I know this is a bit of an opinionated encryption question. – Xoph Oct 06 '14 at 12:55
-
You could encrypt your data locally using knife like I did, here's the link for that: http://stackoverflow.com/questions/26978737/encrypt-data-bag-with-knife-from-inside-ruby/26981553#26981553 you would still need to the key on the server to use it though. – Thermatix Nov 24 '14 at 11:22