For example I used chef-vault for distribute passwords.
How I can understand:
When we creating a vault with:
knife encrypt create databag item
chef-vault create TWO databag’s:
databag item and databag item_keys
Values from second data bag item is encrypted with client public keys
stored on chef-server, which is allowed to decrypt values.
But I cannot what is stored in first data bag ?
If I backup created by chef vault bags via knife
download(knife-essentials), and then
lose all private keys of nodes(admins). For example fire up building
with nodes including admin machine’s
I cannot decrypt my passwords ?
How I can understand, If I doesn’t have a my admin key in knife.rb and
my admin machine I cannot show values by command?
knife encrypt show databag item
And latest question:
What do you think about next strategy:
- Store a secrets only in one place in plaintext. For example on
cryptfs filesystem with a VCS system.
For example json files + script to upload this json databags to server
with a knife encrypt create
So I can be sure that passwords and other sensitive information for
deploy all of our infrastructure is in one place.
And for backup I can use Strong ENCRYPTED Usb flashdrives.
This is a simple solution and very good - i think? Is not it ?
CVision Lab System Administrator