Secrets storage is a really nuanced issue.
Noah’s blog post on this issue is worth reading,
See section: What about encrypted data bags?
If you are an AWS user, please do consider using IAM (with MFA), S3 and
Instance Profile and build from there.
Following pointers should help. I strongly recommend reading it.
On Wed, Jun 11, 2014 at 12:51 PM, Michael Fischer email@example.com
Is the analysis you’re asking for limited to a crypto review of the
encrypted data bags feature as it currently exists, or are you asking our
opinion of secrets storage in general?
On Wed, Jun 11, 2014 at 12:36 PM, Bryan McLellan firstname.lastname@example.org
Given the frequency of small bugs in being found in crypto
implementations in open source projects recently, it would be great
to get some detailed review of the encrypted data bag feature. We
sort of built the crypto bits ourselves, albeit on top of OpenSSL.
Anyone up for that?
Xabier has been working on a version 3 of encrypted data
bags, please take a look if you’re into this sort of thing.
Bryan McLellan | chef | software engineer
© 206.607.7108 | (t) @btmspox | (www) http://getchef.com