Chef vault creation

Is it necessary to define the nodes on which the vault can be accessed, or will it work when we do not define any node in the command when trying to create the vault

when created a vault and trying to see from workstation, it is giving the error as

Not finding the key though i can see on chef-server that the tst1234 and tst1234_keys is present

[root@workstation data_bags]# knife vault show catalog_vault_test tst1234
ERROR: Chef::Exceptions::InvalidDataBagItemID: Item tst1234_keys not found in data bag catalog_vault_test. Other items found:

Do you have knife[:vault_mode] = 'client' in your knife.rb? This tells vault to talk to the chef server instead of acting locally.

is there anything else which i need to configure for chef -vault

This I am checking currently on workstation.

So do i need to change solo mode to client mode

If you want to make the vault available for clients that are stored on the chef server then you need knife[:vault_mode] = 'client' in your knife.rb.

Suppose i have 1000 nodes, so is it mandatory for me to mention that in -S option while creating a vault.??
or if i don’t mention any clients then will the node be able to read the value from vault in decrypted form

Only the nodes mentioned (or actually found) by the -S options will be able to decrypt the vault. If you have an empty -S option no nodes will be able to decrypt the vault.

Searching for nodes using the -S tag can be insecure. This is because any node which has been compromised can potentially fake its own data and be picked up by the search. If this happens, the next time someone runs knife vault refresh, the compromised node could be illicitly given decryption access.

How to get rid of this issue

You can either:

  • manually specify a list of nodes that should have access to the vault (-C option) but with 1000 nodes that will be quite a pain
  • specify a range/list of node names with search -S ‘name:[host01 TO host04]’
  • Use some external secure data source like Hashicorp vault.