AWS Security Groups


#1

Is there a known public cookbook for creating AWS security groups? I don’t
know about the security implications, but I’d like to try having the
recipes creating the necessary security groups. Otherwise, it’s a major
hassle to put them into a script. AFAIK chef-metal/provisioner doesn’t do
security groups yet.

This one https://github.com/SearchSpring/aws_security, wants to use
encrypted data bags and, well, that’s a pain. I’d prefer to use IAM roles
were possible. I’d never noticed before, but it looks like encrypted data
bags are only encrypted on the Chef server, not on the local file system?
If so, what’s the point?

Doug


#2

RE: data bags being encrypted on the Chef server and not on your local
system, that’s correct.
I should say that data bags themselves are not encrypted. There’s no
difference between a data bag and an encrypted data bag. It’s the items
within the data bag that are (or aren’t) encrypted. Even though they’re
called “encrypted data bag”.
If you find it a problem that what’s in your local file system is not
encrypted, then what you can do is upload your JSON file with the secret
(as seen in your other thread I just replied to), then delete the file from
your local file system, and if you want the encrypted file locally, then
just download it from the Chef server, it’ll be encrypted then.

On Sun, Nov 16, 2014 at 9:11 PM, Douglas Garstang doug.garstang@gmail.com
wrote:

Is there a known public cookbook for creating AWS security groups? I don’t
know about the security implications, but I’d like to try having the
recipes creating the necessary security groups. Otherwise, it’s a major
hassle to put them into a script. AFAIK chef-metal/provisioner doesn’t do
security groups yet.

This one https://github.com/SearchSpring/aws_security, wants to use
encrypted data bags and, well, that’s a pain. I’d prefer to use IAM roles
were possible. I’d never noticed before, but it looks like encrypted data
bags are only encrypted on the Chef server, not on the local file system?
If so, what’s the point?

Doug


#3

Oh. Thanks for that. And, that’s… terrible. :frowning: The point is not to have
the unencrypted file in git.

Doug.

On Sun, Nov 16, 2014 at 6:48 PM, Fabien Delpierre <
fabien.delpierre@gmail.com> wrote:

RE: data bags being encrypted on the Chef server and not on your local
system, that’s correct.
I should say that data bags themselves are not encrypted. There’s no
difference between a data bag and an encrypted data bag. It’s the items
within the data bag that are (or aren’t) encrypted. Even though they’re
called “encrypted data bag”.
If you find it a problem that what’s in your local file system is not
encrypted, then what you can do is upload your JSON file with the secret
(as seen in your other thread I just replied to), then delete the file from
your local file system, and if you want the encrypted file locally, then
just download it from the Chef server, it’ll be encrypted then.

On Sun, Nov 16, 2014 at 9:11 PM, Douglas Garstang <doug.garstang@gmail.com

wrote:

Is there a known public cookbook for creating AWS security groups? I
don’t know about the security implications, but I’d like to try having the
recipes creating the necessary security groups. Otherwise, it’s a major
hassle to put them into a script. AFAIK chef-metal/provisioner doesn’t do
security groups yet.

This one https://github.com/SearchSpring/aws_security, wants to use
encrypted data bags and, well, that’s a pain. I’d prefer to use IAM roles
were possible. I’d never noticed before, but it looks like encrypted data
bags are only encrypted on the Chef server, not on the local file system?
If so, what’s the point?

Doug


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


#4

Doug,

While the file itself won’t be encrypted, it’s contents will be, so it IS safe to version the file in Git (we do in a repo that covers our data bags, environments, & roles).


Jeff Byrnes
Operations Engineer
EverTrue
@berkleebassist

On November 17, 2014 at 12:36:03 AM, Douglas Garstang (doug.garstang@gmail.com) wrote:

Oh. Thanks for that. And, that’s… terrible. :frowning: The point is not to have the unencrypted file in git.

Doug.

On Sun, Nov 16, 2014 at 6:48 PM, Fabien Delpierre fabien.delpierre@gmail.com wrote:
RE: data bags being encrypted on the Chef server and not on your local system, that’s correct.
I should say that data bags themselves are not encrypted. There’s no difference between a data bag and an encrypted data bag. It’s the items within the data bag that are (or aren’t) encrypted. Even though they’re called “encrypted data bag”.
If you find it a problem that what’s in your local file system is not encrypted, then what you can do is upload your JSON file with the secret (as seen in your other thread I just replied to), then delete the file from your local file system, and if you want the encrypted file locally, then just download it from the Chef server, it’ll be encrypted then.

On Sun, Nov 16, 2014 at 9:11 PM, Douglas Garstang doug.garstang@gmail.com wrote:
Is there a known public cookbook for creating AWS security groups? I don’t know about the security implications, but I’d like to try having the recipes creating the necessary security groups. Otherwise, it’s a major hassle to put them into a script. AFAIK chef-metal/provisioner doesn’t do security groups yet.

This one https://github.com/SearchSpring/aws_security, wants to use encrypted data bags and, well, that’s a pain. I’d prefer to use IAM roles were possible. I’d never noticed before, but it looks like encrypted data bags are only encrypted on the Chef server, not on the local file system? If so, what’s the point?

Doug


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


#5

Yes. You can see that for yourself, just upload your JSON file with the
secret, then use the knife download command to download it back from the
server, then compare your original to the one you just downloaded, you’ll
see how the encryption works. And then you can add the encrypted version to
Git, it is safe (or at least, it’s as safe as your encryption key is).

On Mon, Nov 17, 2014 at 7:53 AM, Jeff Byrnes jeff@evertrue.com wrote:

Doug,

While the file itself won’t be encrypted, it’s contents will be, so it IS
safe to version the file in Git (we do in a repo that covers our data bags,
environments, & roles).


Jeff Byrnes
Operations Engineer
EverTrue http://www.evertrue.com/
@berkleebassist http://twitter.com/berkleebassist

On November 17, 2014 at 12:36:03 AM, Douglas Garstang (
doug.garstang@gmail.com) wrote:

Oh. Thanks for that. And, that’s… terrible. :frowning: The point is not to
have the unencrypted file in git.

Doug.

On Sun, Nov 16, 2014 at 6:48 PM, Fabien Delpierre <
fabien.delpierre@gmail.com> wrote:

RE: data bags being encrypted on the Chef server and not on your local
system, that’s correct.
I should say that data bags themselves are not encrypted. There’s no
difference between a data bag and an encrypted data bag. It’s the items
within the data bag that are (or aren’t) encrypted. Even though they’re
called “encrypted data bag”.
If you find it a problem that what’s in your local file system is not
encrypted, then what you can do is upload your JSON file with the secret
(as seen in your other thread I just replied to), then delete the file from
your local file system, and if you want the encrypted file locally, then
just download it from the Chef server, it’ll be encrypted then.

On Sun, Nov 16, 2014 at 9:11 PM, Douglas Garstang <
doug.garstang@gmail.com> wrote:

Is there a known public cookbook for creating AWS security groups? I
don’t know about the security implications, but I’d like to try having the
recipes creating the necessary security groups. Otherwise, it’s a major
hassle to put them into a script. AFAIK chef-metal/provisioner doesn’t do
security groups yet.

This one https://github.com/SearchSpring/aws_security, wants to use
encrypted data bags and, well, that’s a pain. I’d prefer to use IAM roles
were possible. I’d never noticed before, but it looks like encrypted data
bags are only encrypted on the Chef server, not on the local file system?
If so, what’s the point?

Doug


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


#6

I’m not following. The file is unencrypted locally. Are you saying that the
knife command will encrypt the local file?

On Mon, Nov 17, 2014 at 5:41 AM, Fabien Delpierre <
fabien.delpierre@gmail.com> wrote:

Yes. You can see that for yourself, just upload your JSON file with the
secret, then use the knife download command to download it back from the
server, then compare your original to the one you just downloaded, you’ll
see how the encryption works. And then you can add the encrypted version to
Git, it is safe (or at least, it’s as safe as your encryption key is).

On Mon, Nov 17, 2014 at 7:53 AM, Jeff Byrnes jeff@evertrue.com wrote:

Doug,

While the file itself won’t be encrypted, it’s contents will be, so it IS
safe to version the file in Git (we do in a repo that covers our data bags,
environments, & roles).


Jeff Byrnes
Operations Engineer
EverTrue http://www.evertrue.com/
@berkleebassist http://twitter.com/berkleebassist

On November 17, 2014 at 12:36:03 AM, Douglas Garstang (
doug.garstang@gmail.com) wrote:

Oh. Thanks for that. And, that’s… terrible. :frowning: The point is not to
have the unencrypted file in git.

Doug.

On Sun, Nov 16, 2014 at 6:48 PM, Fabien Delpierre <
fabien.delpierre@gmail.com> wrote:

RE: data bags being encrypted on the Chef server and not on your local
system, that’s correct.
I should say that data bags themselves are not encrypted. There’s no
difference between a data bag and an encrypted data bag. It’s the items
within the data bag that are (or aren’t) encrypted. Even though they’re
called “encrypted data bag”.
If you find it a problem that what’s in your local file system is not
encrypted, then what you can do is upload your JSON file with the secret
(as seen in your other thread I just replied to), then delete the file from
your local file system, and if you want the encrypted file locally, then
just download it from the Chef server, it’ll be encrypted then.

On Sun, Nov 16, 2014 at 9:11 PM, Douglas Garstang <
doug.garstang@gmail.com> wrote:

Is there a known public cookbook for creating AWS security groups? I
don’t know about the security implications, but I’d like to try having the
recipes creating the necessary security groups. Otherwise, it’s a major
hassle to put them into a script. AFAIK chef-metal/provisioner doesn’t do
security groups yet.

This one https://github.com/SearchSpring/aws_security, wants to use
encrypted data bags and, well, that’s a pain. I’d prefer to use IAM roles
were possible. I’d never noticed before, but it looks like encrypted data
bags are only encrypted on the Chef server, not on the local file system?
If so, what’s the point?

Doug


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


#7

That’s correct. Knife will use your encryption key to de/encrypt the data in an encrypted data bag.

If you’d like to see the raw content of a data bag item, you can run this command:

knife exec -E “puts JSON.pretty_generate(api.get(’/data/data_bag/data_bag_item’))”

That will output the raw JSON, pretty-printed, from your Chef Server.

To add to the confusion, if you have the knife[:secret_file] setting in your .knife.rb set, using the knife data bag show command will always display a decrypted data bag item, which can be very confusing.


Jeff Byrnes
@berkleebassist
Lead DevOps Engineer
EverTrue
704.516.4628

On November 17, 2014 at 12:24:27 PM, Douglas Garstang (doug.garstang@gmail.com) wrote:

I’m not following. The file is unencrypted locally. Are you saying that the knife command will encrypt the local file?

On Mon, Nov 17, 2014 at 5:41 AM, Fabien Delpierre fabien.delpierre@gmail.com wrote:
Yes. You can see that for yourself, just upload your JSON file with the secret, then use the knife download command to download it back from the server, then compare your original to the one you just downloaded, you’ll see how the encryption works. And then you can add the encrypted version to Git, it is safe (or at least, it’s as safe as your encryption key is).

On Mon, Nov 17, 2014 at 7:53 AM, Jeff Byrnes jeff@evertrue.com wrote:
Doug,

While the file itself won’t be encrypted, it’s contents will be, so it IS safe to version the file in Git (we do in a repo that covers our data bags, environments, & roles).


Jeff Byrnes
Operations Engineer
EverTrue
@berkleebassist

On November 17, 2014 at 12:36:03 AM, Douglas Garstang (doug.garstang@gmail.com) wrote:

Oh. Thanks for that. And, that’s… terrible. :frowning: The point is not to have the unencrypted file in git.

Doug.

On Sun, Nov 16, 2014 at 6:48 PM, Fabien Delpierre fabien.delpierre@gmail.com wrote:
RE: data bags being encrypted on the Chef server and not on your local system, that’s correct.
I should say that data bags themselves are not encrypted. There’s no difference between a data bag and an encrypted data bag. It’s the items within the data bag that are (or aren’t) encrypted. Even though they’re called “encrypted data bag”.
If you find it a problem that what’s in your local file system is not encrypted, then what you can do is upload your JSON file with the secret (as seen in your other thread I just replied to), then delete the file from your local file system, and if you want the encrypted file locally, then just download it from the Chef server, it’ll be encrypted then.

On Sun, Nov 16, 2014 at 9:11 PM, Douglas Garstang doug.garstang@gmail.com wrote:
Is there a known public cookbook for creating AWS security groups? I don’t know about the security implications, but I’d like to try having the recipes creating the necessary security groups. Otherwise, it’s a major hassle to put them into a script. AFAIK chef-metal/provisioner doesn’t do security groups yet.

This one https://github.com/SearchSpring/aws_security, wants to use encrypted data bags and, well, that’s a pain. I’d prefer to use IAM roles were possible. I’d never noticed before, but it looks like encrypted data bags are only encrypted on the Chef server, not on the local file system? If so, what’s the point?

Doug


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


#8

To make matters worse, actually, if you have said knife[:secret_file] attribute set, it will also always create encrypted data bags as well.


Eric

On November 17, 2014 at 12:28:38 PM, Jeff Byrnes (jeff@evertrue.com) wrote:

That’s correct. Knife will use your encryption key to de/encrypt the data in an encrypted data bag.

If you’d like to see the raw content of a data bag item, you can run this command:

knife exec -E “puts JSON.pretty_generate(api.get(’/data/data_bag/data_bag_item’))”

That will output the raw JSON, pretty-printed, from your Chef Server.

To add to the confusion, if you have the knife[:secret_file] setting in your .knife.rb set, using the knife data bag show command will always display a decrypted data bag item, which can be very confusing.


Jeff Byrnes
@berkleebassist
Lead DevOps Engineer
EverTrue
704.516.4628

On November 17, 2014 at 12:24:27 PM, Douglas Garstang (doug.garstang@gmail.com) wrote:

I’m not following. The file is unencrypted locally. Are you saying that the knife command will encrypt the local file?

On Mon, Nov 17, 2014 at 5:41 AM, Fabien Delpierre fabien.delpierre@gmail.com wrote:
Yes. You can see that for yourself, just upload your JSON file with the secret, then use the knife download command to download it back from the server, then compare your original to the one you just downloaded, you’ll see how the encryption works. And then you can add the encrypted version to Git, it is safe (or at least, it’s as safe as your encryption key is).

On Mon, Nov 17, 2014 at 7:53 AM, Jeff Byrnes jeff@evertrue.com wrote:
Doug,

While the file itself won’t be encrypted, it’s contents will be, so it IS safe to version the file in Git (we do in a repo that covers our data bags, environments, & roles).


Jeff Byrnes
Operations Engineer
EverTrue
@berkleebassist

On November 17, 2014 at 12:36:03 AM, Douglas Garstang (doug.garstang@gmail.com) wrote:

Oh. Thanks for that. And, that’s… terrible. :frowning: The point is not to have the unencrypted file in git.

Doug.

On Sun, Nov 16, 2014 at 6:48 PM, Fabien Delpierre fabien.delpierre@gmail.com wrote:
RE: data bags being encrypted on the Chef server and not on your local system, that’s correct.
I should say that data bags themselves are not encrypted. There’s no difference between a data bag and an encrypted data bag. It’s the items within the data bag that are (or aren’t) encrypted. Even though they’re called “encrypted data bag”.
If you find it a problem that what’s in your local file system is not encrypted, then what you can do is upload your JSON file with the secret (as seen in your other thread I just replied to), then delete the file from your local file system, and if you want the encrypted file locally, then just download it from the Chef server, it’ll be encrypted then.

On Sun, Nov 16, 2014 at 9:11 PM, Douglas Garstang doug.garstang@gmail.com wrote:
Is there a known public cookbook for creating AWS security groups? I don’t know about the security implications, but I’d like to try having the recipes creating the necessary security groups. Otherwise, it’s a major hassle to put them into a script. AFAIK chef-metal/provisioner doesn’t do security groups yet.

This one https://github.com/SearchSpring/aws_security, wants to use encrypted data bags and, well, that’s a pain. I’d prefer to use IAM roles were possible. I’d never noticed before, but it looks like encrypted data bags are only encrypted on the Chef server, not on the local file system? If so, what’s the point?

Doug


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


#9

Well, I can also see the raw content by looking at my local file, since
that’s not encrypted either…

On Mon, Nov 17, 2014 at 9:28 AM, Jeff Byrnes jeff@evertrue.com wrote:

That’s correct. Knife will use your encryption key to de/encrypt the data
in an encrypted data bag.

If you’d like to see the raw content of a data bag item, you can run this
command:

knife exec -E “puts
JSON.pretty_generate(api.get(’/data/data_bag/data_bag_item’))”

That will output the raw JSON, pretty-printed, from your Chef Server.

To add to the confusion, if you have the knife[:secret_file] setting in
your .knife.rb set, using the knife data bag show command will always
display a decrypted data bag item, which can be very confusing.


Jeff Byrnes
@berkleebassist http://twitter.com/berkleebassist
Lead DevOps Engineer
EverTrue http://www.evertrue.com/
704.516.4628

On November 17, 2014 at 12:24:27 PM, Douglas Garstang (
doug.garstang@gmail.com) wrote:

I’m not following. The file is unencrypted locally. Are you saying that
the knife command will encrypt the local file?

On Mon, Nov 17, 2014 at 5:41 AM, Fabien Delpierre <
fabien.delpierre@gmail.com> wrote:

Yes. You can see that for yourself, just upload your JSON file with the
secret, then use the knife download command to download it back from the
server, then compare your original to the one you just downloaded, you’ll
see how the encryption works. And then you can add the encrypted version to
Git, it is safe (or at least, it’s as safe as your encryption key is).

On Mon, Nov 17, 2014 at 7:53 AM, Jeff Byrnes jeff@evertrue.com wrote:

Doug,

While the file itself won’t be encrypted, it’s contents will be, so it
IS safe to version the file in Git (we do in a repo that covers our data
bags, environments, & roles).


Jeff Byrnes
Operations Engineer
EverTrue http://www.evertrue.com/
@berkleebassist http://twitter.com/berkleebassist

On November 17, 2014 at 12:36:03 AM, Douglas Garstang (
doug.garstang@gmail.com) wrote:

Oh. Thanks for that. And, that’s… terrible. :frowning: The point is not to
have the unencrypted file in git.

Doug.

On Sun, Nov 16, 2014 at 6:48 PM, Fabien Delpierre <
fabien.delpierre@gmail.com> wrote:

RE: data bags being encrypted on the Chef server and not on your
local system, that’s correct.
I should say that data bags themselves are not encrypted. There’s no
difference between a data bag and an encrypted data bag. It’s the items
within the data bag that are (or aren’t) encrypted. Even though they’re
called “encrypted data bag”.
If you find it a problem that what’s in your local file system is not
encrypted, then what you can do is upload your JSON file with the secret
(as seen in your other thread I just replied to), then delete the file from
your local file system, and if you want the encrypted file locally, then
just download it from the Chef server, it’ll be encrypted then.

On Sun, Nov 16, 2014 at 9:11 PM, Douglas Garstang <
doug.garstang@gmail.com> wrote:

Is there a known public cookbook for creating AWS security groups? I
don’t know about the security implications, but I’d like to try having the
recipes creating the necessary security groups. Otherwise, it’s a major
hassle to put them into a script. AFAIK chef-metal/provisioner doesn’t do
security groups yet.

This one https://github.com/SearchSpring/aws_security, wants to use
encrypted data bags and, well, that’s a pain. I’d prefer to use IAM roles
were possible. I’d never noticed before, but it looks like encrypted data
bags are only encrypted on the Chef server, not on the local file system?
If so, what’s the point?

Doug


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


#10

In most setups, where the local file is what’s being pushed to source control, the data in that file should be encrypted. If you mean that you can easily look at the “raw” contents by looking at the local file, however, that would be correct.


Eric

On November 17, 2014 at 12:35:44 PM, Douglas Garstang (doug.garstang@gmail.com) wrote:

Well, I can also see the raw content by looking at my local file, since that’s not encrypted either…

On Mon, Nov 17, 2014 at 9:28 AM, Jeff Byrnes jeff@evertrue.com wrote:
That’s correct. Knife will use your encryption key to de/encrypt the data in an encrypted data bag.

If you’d like to see the raw content of a data bag item, you can run this command:

knife exec -E “puts JSON.pretty_generate(api.get(’/data/data_bag/data_bag_item’))”

That will output the raw JSON, pretty-printed, from your Chef Server.

To add to the confusion, if you have the knife[:secret_file] setting in your .knife.rb set, using the knife data bag show command will always display a decrypted data bag item, which can be very confusing.


Jeff Byrnes
@berkleebassist
Lead DevOps Engineer
EverTrue
704.516.4628

On November 17, 2014 at 12:24:27 PM, Douglas Garstang (doug.garstang@gmail.com) wrote:

I’m not following. The file is unencrypted locally. Are you saying that the knife command will encrypt the local file?

On Mon, Nov 17, 2014 at 5:41 AM, Fabien Delpierre fabien.delpierre@gmail.com wrote:
Yes. You can see that for yourself, just upload your JSON file with the secret, then use the knife download command to download it back from the server, then compare your original to the one you just downloaded, you’ll see how the encryption works. And then you can add the encrypted version to Git, it is safe (or at least, it’s as safe as your encryption key is).

On Mon, Nov 17, 2014 at 7:53 AM, Jeff Byrnes jeff@evertrue.com wrote:
Doug,

While the file itself won’t be encrypted, it’s contents will be, so it IS safe to version the file in Git (we do in a repo that covers our data bags, environments, & roles).


Jeff Byrnes
Operations Engineer
EverTrue
@berkleebassist

On November 17, 2014 at 12:36:03 AM, Douglas Garstang (doug.garstang@gmail.com) wrote:

Oh. Thanks for that. And, that’s… terrible. :frowning: The point is not to have the unencrypted file in git.

Doug.

On Sun, Nov 16, 2014 at 6:48 PM, Fabien Delpierre fabien.delpierre@gmail.com wrote:
RE: data bags being encrypted on the Chef server and not on your local system, that’s correct.
I should say that data bags themselves are not encrypted. There’s no difference between a data bag and an encrypted data bag. It’s the items within the data bag that are (or aren’t) encrypted. Even though they’re called “encrypted data bag”.
If you find it a problem that what’s in your local file system is not encrypted, then what you can do is upload your JSON file with the secret (as seen in your other thread I just replied to), then delete the file from your local file system, and if you want the encrypted file locally, then just download it from the Chef server, it’ll be encrypted then.

On Sun, Nov 16, 2014 at 9:11 PM, Douglas Garstang doug.garstang@gmail.com wrote:
Is there a known public cookbook for creating AWS security groups? I don’t know about the security implications, but I’d like to try having the recipes creating the necessary security groups. Otherwise, it’s a major hassle to put them into a script. AFAIK chef-metal/provisioner doesn’t do security groups yet.

This one https://github.com/SearchSpring/aws_security, wants to use encrypted data bags and, well, that’s a pain. I’d prefer to use IAM roles were possible. I’d never noticed before, but it looks like encrypted data bags are only encrypted on the Chef server, not on the local file system? If so, what’s the point?

Doug


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


#11

Right, but again, assuming you don’t have the knife[:secret_file] attribute
set in your knife.rb, do this:
knife data bag create mybag knife data bag from file mybag test.json --secret foo
Now you should have a data bag called ‘mybag’ containing an encrypted item
called ‘test’.
Now run:
knife data bag show mybag test That will show you how the item is stored on the Chef server, i.e. encrypted. Next, if you run: knife data bag show mybag test --secret foo
It will decrypt the file and show you the output.

Lastly, if you want to check the encrypted file into Git, then just delete
that test.json, then use the knife download command to download your
test.json back from your Chef server – it’ll come back encrypted.

On Mon, Nov 17, 2014 at 12:35 PM, Douglas Garstang doug.garstang@gmail.com
wrote:

Well, I can also see the raw content by looking at my local file, since
that’s not encrypted either…

On Mon, Nov 17, 2014 at 9:28 AM, Jeff Byrnes jeff@evertrue.com wrote:

That’s correct. Knife will use your encryption key to de/encrypt the data
in an encrypted data bag.

If you’d like to see the raw content of a data bag item, you can run this
command:

knife exec -E “puts
JSON.pretty_generate(api.get(’/data/data_bag/data_bag_item’))”

That will output the raw JSON, pretty-printed, from your Chef Server.

To add to the confusion, if you have the knife[:secret_file] setting in
your .knife.rb set, using the knife data bag show command will always
display a decrypted data bag item, which can be very confusing.


Jeff Byrnes
@berkleebassist http://twitter.com/berkleebassist
Lead DevOps Engineer
EverTrue http://www.evertrue.com/
704.516.4628

On November 17, 2014 at 12:24:27 PM, Douglas Garstang (
doug.garstang@gmail.com) wrote:

I’m not following. The file is unencrypted locally. Are you saying that
the knife command will encrypt the local file?

On Mon, Nov 17, 2014 at 5:41 AM, Fabien Delpierre <
fabien.delpierre@gmail.com> wrote:

Yes. You can see that for yourself, just upload your JSON file with the
secret, then use the knife download command to download it back from the
server, then compare your original to the one you just downloaded, you’ll
see how the encryption works. And then you can add the encrypted version to
Git, it is safe (or at least, it’s as safe as your encryption key is).

On Mon, Nov 17, 2014 at 7:53 AM, Jeff Byrnes jeff@evertrue.com wrote:

Doug,

While the file itself won’t be encrypted, it’s contents will be, so it
IS safe to version the file in Git (we do in a repo that covers our data
bags, environments, & roles).


Jeff Byrnes
Operations Engineer
EverTrue http://www.evertrue.com/
@berkleebassist http://twitter.com/berkleebassist

On November 17, 2014 at 12:36:03 AM, Douglas Garstang (
doug.garstang@gmail.com) wrote:

Oh. Thanks for that. And, that’s… terrible. :frowning: The point is not to
have the unencrypted file in git.

Doug.

On Sun, Nov 16, 2014 at 6:48 PM, Fabien Delpierre <
fabien.delpierre@gmail.com> wrote:

RE: data bags being encrypted on the Chef server and not on your
local system, that’s correct.
I should say that data bags themselves are not encrypted. There’s no
difference between a data bag and an encrypted data bag. It’s the items
within the data bag that are (or aren’t) encrypted. Even though they’re
called “encrypted data bag”.
If you find it a problem that what’s in your local file system is not
encrypted, then what you can do is upload your JSON file with the secret
(as seen in your other thread I just replied to), then delete the file from
your local file system, and if you want the encrypted file locally, then
just download it from the Chef server, it’ll be encrypted then.

On Sun, Nov 16, 2014 at 9:11 PM, Douglas Garstang <
doug.garstang@gmail.com> wrote:

Is there a known public cookbook for creating AWS security groups?
I don’t know about the security implications, but I’d like to try having
the recipes creating the necessary security groups. Otherwise, it’s a major
hassle to put them into a script. AFAIK chef-metal/provisioner doesn’t do
security groups yet.

This one https://github.com/SearchSpring/aws_security, wants to use
encrypted data bags and, well, that’s a pain. I’d prefer to use IAM roles
were possible. I’d never noticed before, but it looks like encrypted data
bags are only encrypted on the Chef server, not on the local file system?
If so, what’s the point?

Doug


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627