Any crypto geeks lurking?


#1

Given the frequency of small bugs in being found in crypto
implementations in open source projects recently, it would be great to
get some detailed review of the encrypted data bag feature. We sort of
built the crypto bits ourselves, albeit on top of OpenSSL. Anyone up
for that?

Xabier has been working on a version 3 of encrypted data bags, please
take a look if you’re into this sort of thing.


Bryan McLellan | chef | software engineer
© 206.607.7108 | (t) @btmspox | (www) http://getchef.com


#2

Is the analysis you’re asking for limited to a crypto review of the
encrypted data bags feature as it currently exists, or are you asking our
opinion of secrets storage in general?

–Michael

On Wed, Jun 11, 2014 at 12:36 PM, Bryan McLellan btm@getchef.com wrote:

Given the frequency of small bugs in being found in crypto
implementations in open source projects recently, it would be great to
get some detailed review of the encrypted data bag feature. We sort of
built the crypto bits ourselves, albeit on top of OpenSSL. Anyone up
for that?

Xabier has been working on a version 3 of encrypted data bags, please
take a look if you’re into this sort of thing.
https://github.com/opscode/chef/pull/1474


Bryan McLellan | chef | software engineer
© 206.607.7108 | (t) @btmspox | (www) http://getchef.com


#3

Secrets storage is a really nuanced issue.

Noah’s blog post on this issue is worth reading,

https://coderanger.net/2014/02/data-bags/

See section: What about encrypted data bags?

If you are an AWS user, please do consider using IAM (with MFA), S3 and
Instance Profile and build from there.

Following pointers should help. I strongly recommend reading it.

Best,
Rajiv

On Wed, Jun 11, 2014 at 12:51 PM, Michael Fischer mfischer@zendesk.com
wrote:

Is the analysis you’re asking for limited to a crypto review of the
encrypted data bags feature as it currently exists, or are you asking our
opinion of secrets storage in general?

–Michael

On Wed, Jun 11, 2014 at 12:36 PM, Bryan McLellan btm@getchef.com
wrote:

Given the frequency of small bugs in being found in crypto
implementations in open source projects recently, it would be great
to get some detailed review of the encrypted data bag feature. We
sort of built the crypto bits ourselves, albeit on top of OpenSSL.
Anyone up for that?

Xabier has been working on a version 3 of encrypted data
bags, please take a look if you’re into this sort of thing.
https://github.com/opscode/chef/pull/1474


Bryan McLellan | chef | software engineer
© 206.607.7108 | (t) @btmspox | (www) http://getchef.com


#4

Rajiv, thank you for posting that coderanger link. While I don’t agree
with his generalization about not storing anything in databags, I’m very
keen on using IAM roles and S3 for storing secrets. I had also not heard
of Barbican.

Cheers,
-Greg

On Thu, Jun 12, 2014 at 1:06 PM, Rajiv Ranganath <
rajiv.ranganath@atihita.com> wrote:

Secrets storage is a really nuanced issue.

Noah’s blog post on this issue is worth reading,

https://coderanger.net/2014/02/data-bags/

See section: What about encrypted data bags?

If you are an AWS user, please do consider using IAM (with MFA), S3 and
Instance Profile and build from there.

Following pointers should help. I strongly recommend reading it.

  • Chapters 19, 20, 21 of

http://www.amazon.com/Secrets-Lies-Digital-Security-Networked/dp/0471453803

  • Part IV and Chapter 23 of

http://www.amazon.com/Cryptography-Engineering-Principles-Practical-Applications/dp/0470474246/

Best,
Rajiv

On Wed, Jun 11, 2014 at 12:51 PM, Michael Fischer mfischer@zendesk.com
wrote:

Is the analysis you’re asking for limited to a crypto review of the
encrypted data bags feature as it currently exists, or are you asking our
opinion of secrets storage in general?

–Michael

On Wed, Jun 11, 2014 at 12:36 PM, Bryan McLellan btm@getchef.com
wrote:

Given the frequency of small bugs in being found in crypto
implementations in open source projects recently, it would be great
to get some detailed review of the encrypted data bag feature. We
sort of built the crypto bits ourselves, albeit on top of OpenSSL.
Anyone up for that?

Xabier has been working on a version 3 of encrypted data
bags, please take a look if you’re into this sort of thing.
https://github.com/opscode/chef/pull/1474


Bryan McLellan | chef | software engineer
© 206.607.7108 | (t) @btmspox | (www) http://getchef.com