Data Bag Secret Key Strategy with Chef-Solo Feedback


This is a general post requesting some feedback on my secret key strategy
when using Chef-Solo.


I have some clients using some simple web apps that use 1-2 boxes each.

I keep them all separate and use Chef-Solo to configure and maintain their
Ubuntu servers.

Checked into the git repo for each individual client are encrypted data
bags that store

credentials for various external web services these web apps use.

When a Chef-Solo run happens the encrypted data bag is decrypted and used
in a reciepe(s).

In order for chef to be able to decrypt the databag, before I start the
chef run I copy

in the secret_key.txt with scp to /home/ubuntu/.ssh/secret_key.txt.

Once the chef run completes, or fails for any reason, the secret_key.txt
file is removed.

So in effect the secret_key is only ever on the remote machine just before
and up until the end of each chef run.

I wrap these 3 steps in a command line Thor script:

  • Upload secret_key.txt
  • Start chef solo run (knife solo cook)
  • Remove secret_key.txt

This method seems to make sense to me and does work OK.

By using a Thor script to run the 3 steps even if the chef run fails the
secret_key.txt is always removed.

This gives me peace of mind knowing that if ever the box was cracked by an
intruder the secret_key.txt
file is not there for them to decrypt any sensitive data.

I’m not using hosted chef sever for these clients, I have used Chef Vault
with Chef server before.

Does all the above make sound sense to you as well?

Any feedback, positive or negative, would be much appreciated.