3

We keep everything in source control using Github, therefore our cookbook, environment and roles are worked on locally and then uploaded using from file and upload where appropriate. I understand encrypted data bags are encrypted on the server, but how can we keep them encrypted in Git?

sdot257
  • 10,046
  • 26
  • 88
  • 122

2 Answers2

0

You do not. Encrypted data bags are not designed for storage in version control.

coderanger
  • 52,400
  • 4
  • 52
  • 75
  • All right ... So how would I share the data bags? Am I supposed to work with them off the server using remote commands on the chef server as oppose to having the file locally? – sdot257 Jul 11 '17 at 03:31
  • The goal of encrypted data bags is just to store them "securely" on the Chef Server. We do provide any systems for securing code storage. I would recommend not using them at all, look at more modern systems like Hashicorp Vault and Keywhiz which have their own storage layers, or stuff like ecfg or sops for file storage. – coderanger Jul 11 '17 at 03:38
  • Got it. One of my future project is to see how we can leverage Vault. – sdot257 Jul 11 '17 at 13:34
0

We keep encrypted data bags in our repository too and use from file to upload them to Chef Server. For working with data bags locally we have some rake tasks written. They encrypt and decrypt the data bag json file in place.

namespace 'databag' do
  def decrypt_data_bag_item( json_file, secret_file, write=false )
    secret = Chef::EncryptedDataBagItem.load_secret secret_file
    raw_hash = Chef::JSONCompat.from_json IO.read json_file
    result = Chef::EncryptedDataBagItem.new( raw_hash, secret ).to_hash
    IO.write( json_file, Chef::JSONCompat.to_json_pretty( result ) ) if write
    result
  end

  def encrypt_data_bag_item( json_file, secret_file )
    secret = Chef::EncryptedDataBagItem.load_secret secret_file
    raw_hash = Chef::JSONCompat.from_json IO.read json_file
    databag_item = Chef::EncryptedDataBagItem.encrypt_data_bag_item raw_hash, secret
    IO.write json_file, Chef::JSONCompat.to_json_pretty( databag_item )
  end

  desc 'Decrypt encrypted data bag item inplace.'
  task :decrypt, [:item_file, :secret_file] do |t, args|
    args.with_defaults :secret_file => ".chef/encrypted_data_bag_secret"
    decrypt_data_bag_item( args.item_file, args.secret_file, true )
  end

  desc 'Encrypt databag item inplace.'
  task :encrypt, [:item_file, :secret_file] do |t, args|
    args.with_defaults :secret_file => ".chef/encrypted_data_bag_secret"
    encrypt_data_bag_item( args.item_file, args.secret_file )
  end
end

The workflow is the following:

  • Decrypt the data bag
  • Edit it
  • Encrypt
  • Commit and push
  • knife data bag from file...

You can find some ideas also in this question: Data bag encryption encrypts on Chef server, but how to encrypt local copy?

Draco Ater
  • 20,820
  • 8
  • 62
  • 86
  • Speaking as a maintainer of Chef, we do not make any promises as to the safety of this and if it breaks you get to keep all the pieces. – coderanger Jul 11 '17 at 22:51
  • Notably I think this uses version 0 encryption which is known to be unsafe. – coderanger Jul 11 '17 at 22:52
  • It looks like this: `"gid": { "encrypted_data": "1JGCDlZkGluVIvWpN56/4Zgk8geHaMGF57FZNvTKupL5FYj/lAbhz4DHXeK2\nTApJ\n", "iv": "VbVd91VXkjCZYN5OCGQlmA==\n", "version": 1, "cipher": "aes-256-cbc" }` So the version is "1" i think. – Draco Ater Jul 12 '17 at 10:53
  • Still not safe, version 2 is the first that used any form of authenticated encryption and version 3 is the one you should be using. – coderanger Jul 12 '17 at 19:39