Can I restrict vault to decrypt passwords only on specific machines?


Grettings Masters

Is there a way I can increase vault’s security by attaching it only to certain machines. Meaning: only certain machines can decrypt vault credentials.

Eg. My workstations are in: and I do not want any other machine to decrypt vault credentials. Even if my user.pem file gets compromised, hacker will not be able to crack password unless he has access to machine1 or machine2.

Please guide.

Manish Mehra


Chef-Vault was specifically made for this purpose, so yes it is possible. But first, please make sure that you are really using Chef-Vault and not Hashicorp Vault or simply encrypted databags.

For Chef-Vault you can define a search and only nodes returned by this search will have access to the data. In your case the search might look something like "knife vault … --search “ OR”. You can also test you search string with "knife search node ".


Thanks @joerg.herzinger
This is more about decrypting vault secrets on chef nodes(returned from search)
I want to decrypt vault secrets from specific workstations. Even if someone steals my pem files, he should not be able to decrypt my vault secrets. Is it possible?


I am not really sure what you mean. There are chef nodes (the servers the chef-client runs on) and workstations (the Laptops your devs and sysadmins work on) or at least that is the terminology I would use.
Chef Vaults are encrypted for specific chef nodes and/or for certain admins (the people that should have access). Each node and each admin uses its on pem file to decrypt the vault. So if someone steals the pem file of the thief will only be able to decrypt the vaults has access to.

All this is very well documented in official github repo and in various blog posts. This one is quite up to date and a good read:
If you think chef vault does not fit your needs you could try hashicorp vault.