DataBags


#1

Hi All,

I have a couple of windows recipes to join machines to domains and do some other stuff and I specify the username and password to do this in the registry - do you know if I can add this info into a databag and then put some kind of encrypted string into the recipe for the account details?

Cheers,
Simon.


Disclaimer

This message is intended only for the use of the person(s) (“Intended Recipient”) to whom it is addressed. It may contain information which is privileged and confidential. Accordingly any dissemination, distribution, copying or other use of this message or any of its content by any person other than the Intended Recipient may constitute a breach of civil or criminal law and is strictly prohibited. If you are not the Intended Recipient, please contact the sender as soon as possible.

Totaljobs Group Limited Registered Office: Bluefin Building, 110 Southwark Street, London, SE1 0TA, UK Registered in England and Wales under company no. 4269861



#2

Hi Simon!

Yes, there are two easy ways to do this. The first is to use Encrypted Data Bag Items:
https://docs.chef.io/data_bags.html#encrypt-a-data-bag-item

The difficulty here is that you have to ship around the encrypted data bag secret to every node that you want to be able to consume this. Luckily, knife bootstrap makes it easy to get the secret there. But anyone who can log in as an administrator on those nodes has access to the secret, which may make it not very secret depending on your company.

The second option is to use chef-vault: https://supermarket.chef.io/cookbooks/chef-vault

This allows you to encrypt secrets that can only be decrypted by nodes you give access to, and people you give access to. It’s a little more complex on the setup side, but it’s much less complex on the maintenance side.

Hope that helps!

Nathan Cerny
Team Lead Architect, Operations Infrastructure, Population Health Dev
nathan.cerny@cerner.commailto:nathan.cerny@cerner.com
Cerner Corporation | www.cerner.comhttp://www.cerner.com/

On Mar 26, 2015, at 6:54 AM, Simon Hawkins <Simon.Hawkins@totaljobsgroup.commailto:Simon.Hawkins@totaljobsgroup.com> wrote:

Hi All,

I have a couple of windows recipes to join machines to domains and do some other stuff and I specify the username and password to do this in the registry – do you know if I can add this info into a databag and then put some kind of encrypted string into the recipe for the account details?

Cheers,
Simon.


Disclaimer

This message is intended only for the use of the person(s) (“Intended Recipient”) to whom it is addressed. It may contain information which is privileged and confidential. Accordingly any dissemination, distribution, copying or other use of this message or any of its content by any person other than the Intended Recipient may constitute a breach of civil or criminal law and is strictly prohibited. If you are not the Intended Recipient, please contact the sender as soon as possible.

Totaljobs Group Limited Registered Office: Bluefin Building, 110 Southwark Street, London, SE1 0TA, UK Registered in England and Wales under company no. 4269861

CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner’s corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024.