Any crypto geeks lurking?

Bryan_McLellan2 · June 11, 2014, 7:36pm

Given the frequency of small bugs in being found in crypto
implementations in open source projects recently, it would be great to
get some detailed review of the encrypted data bag feature. We sort of
built the crypto bits ourselves, albeit on top of OpenSSL. Anyone up
for that?

Xabier has been working on a version 3 of encrypted data bags, please
take a look if you're into this sort of thing.

--
Bryan McLellan | chef | software engineer
(c) 206.607.7108 | (t) @btmspox | (www) http://getchef.com

Michael_Fischer · June 11, 2014, 7:51pm

Is the analysis you're asking for limited to a crypto review of the
encrypted data bags feature as it currently exists, or are you asking our
opinion of secrets storage in general?

--Michael

On Wed, Jun 11, 2014 at 12:36 PM, Bryan McLellan btm@getchef.com wrote:

Given the frequency of small bugs in being found in crypto
implementations in open source projects recently, it would be great to
get some detailed review of the encrypted data bag feature. We sort of
built the crypto bits ourselves, albeit on top of OpenSSL. Anyone up
for that?

Xabier has been working on a version 3 of encrypted data bags, please
take a look if you're into this sort of thing.
https://github.com/opscode/chef/pull/1474

--
Bryan McLellan | chef | software engineer
(c) 206.607.7108 | (t) @btmspox | (www) http://getchef.com

anon10447422 · June 12, 2014, 1:06am

Secrets storage is a really nuanced issue.

Noah's blog post on this issue is worth reading,

https://coderanger.net/2014/02/data-bags/

See section: What about encrypted data bags?

If you are an AWS user, please do consider using IAM (with MFA), S3 and
Instance Profile and build from there.

Following pointers should help. I strongly recommend reading it.

Chapters 19, 20, 21 of
Amazon.com
Part IV and Chapter 23 of
Amazon.com

Best,
Rajiv

On Wed, Jun 11, 2014 at 12:51 PM, Michael Fischer mfischer@zendesk.com
wrote:

Is the analysis you're asking for limited to a crypto review of the
encrypted data bags feature as it currently exists, or are you asking our
opinion of secrets storage in general?

--Michael

On Wed, Jun 11, 2014 at 12:36 PM, Bryan McLellan btm@getchef.com
wrote:

Given the frequency of small bugs in being found in crypto
implementations in open source projects recently, it would be great
to get some detailed review of the encrypted data bag feature. We
sort of built the crypto bits ourselves, albeit on top of OpenSSL.
Anyone up for that?

Xabier has been working on a version 3 of encrypted data
bags, please take a look if you're into this sort of thing.
https://github.com/opscode/chef/pull/1474

--
Bryan McLellan | chef | software engineer
(c) 206.607.7108 | (t) @btmspox | (www) http://getchef.com

Greg_Zapp · June 12, 2014, 1:29am

Rajiv, thank you for posting that coderanger link. While I don't agree
with his generalization about not storing anything in databags, I'm very
keen on using IAM roles and S3 for storing secrets. I had also not heard
of Barbican.

Cheers,
-Greg

On Thu, Jun 12, 2014 at 1:06 PM, Rajiv Ranganath <
rajiv.ranganath@atihita.com> wrote:

Secrets storage is a really nuanced issue.

Noah's blog post on this issue is worth reading,

Data Bags are a Code Smell – Noah Kantrowitz

See section: What about encrypted data bags?

If you are an AWS user, please do consider using IAM (with MFA), S3 and
Instance Profile and build from there.

Following pointers should help. I strongly recommend reading it.

Chapters 19, 20, 21 of

Amazon.com

Part IV and Chapter 23 of

http://www.amazon.com/Cryptography-Engineering-Principles-Practical-Applications/dp/0470474246/

Best,
Rajiv

On Wed, Jun 11, 2014 at 12:51 PM, Michael Fischer mfischer@zendesk.com
wrote:

Is the analysis you're asking for limited to a crypto review of the
encrypted data bags feature as it currently exists, or are you asking our
opinion of secrets storage in general?

--Michael

On Wed, Jun 11, 2014 at 12:36 PM, Bryan McLellan btm@getchef.com
wrote:

Given the frequency of small bugs in being found in crypto
implementations in open source projects recently, it would be great
to get some detailed review of the encrypted data bag feature. We
sort of built the crypto bits ourselves, albeit on top of OpenSSL.
Anyone up for that?

Xabier has been working on a version 3 of encrypted data
bags, please take a look if you're into this sort of thing.
[CHEF-5356] Encrypted data bags should use different HMAC key and include the IV in the HMAC by zuazo · Pull Request #1474 · chef/chef · GitHub

--
Bryan McLellan | chef | software engineer
(c) 206.607.7108 | (t) @btmspox | (www) http://getchef.com

Topic		Replies	Views
Re: Re: Re: Re: Handling of encrypted data bag keys Chef Infra (archive)	6	382	April 12, 2013
chef12 encrypted data bags - any changes / benefits against chef11? Chef Infra (archive)	2	561	February 8, 2016
Encrypted data bag questions Chef Infra (archive)	1	242	June 11, 2013
Just inherited a Chef system (Hitchhikers & encrypted databags) Chef Infra (archive)	1	495	November 13, 2017
Encrypted Databags are a Code Smell Chef Infra (archive)	16	651	September 18, 2013

Any crypto geeks lurking?

Related Topics