Can I restrict vault to decrypt passwords only on specific machines?


#1

Grettings Masters

Is there a way I can increase vault’s security by attaching it only to certain machines. Meaning: only certain machines can decrypt vault credentials.

Eg. My workstations are in: machine2.domain.com and machine2.domain.com. I do not want any other machine to decrypt vault credentials. Even if my user.pem file gets compromised, hacker will not be able to crack password unless he has access to machine1 or machine2.

Please guide.

Regards
Manish Mehra


#2

Chef-Vault was specifically made for this purpose, so yes it is possible. But first, please make sure that you are really using Chef-Vault and not Hashicorp Vault or simply encrypted databags.

For Chef-Vault you can define a search and only nodes returned by this search will have access to the data. In your case the search might look something like "knife vault … --search “name:machine1.domain.com OR name:machine2.domain.com”. You can also test you search string with "knife search node ".


#3

Thanks @joerg.herzinger
This is more about decrypting vault secrets on chef nodes(returned from search)
I want to decrypt vault secrets from specific workstations. Even if someone steals my pem files, he should not be able to decrypt my vault secrets. Is it possible?


#4

I am not really sure what you mean. There are chef nodes (the servers the chef-client runs on) and workstations (the Laptops your devs and sysadmins work on) or at least that is the terminology I would use.
Chef Vaults are encrypted for specific chef nodes and/or for certain admins (the people that should have access). Each node and each admin uses its on pem file to decrypt the vault. So if someone steals the pem file of machine1.domain.com the thief will only be able to decrypt the vaults machine1.domain.com has access to.

All this is very well documented in official github repo and in various blog posts. This one is quite up to date and a good read: https://blog.chef.io/2016/01/21/chef-vault-what-is-it-and-what-can-it-do-for-you/
If you think chef vault does not fit your needs you could try hashicorp vault.