Encrypted Data Bags - Multiple Secrets?


#1

Hi

(Using chef zero 12.3.0 on Ubuntu 16.04.)

With encrypted data bags, every data bag item might be encrypted with a different secret. Okay.

The data bags documentation and also the source code of encrypted_data_bag_item.rb show only one configuration parameter for the secret:

# If the shared secret is not specified at initialization or load,
# then the contents of the file referred to in
# Chef::Config[:encrypted_data_bag_secret] will be used as the
# secret.  The default path is /etc/chef/encrypted_data_bag_secret

Do you guys actually use multiple secrets on one chef node? If so, how do you actually use it? I mean, how and where do you store the secrets? Something like this?

Chef::Config[:encrypted_data_bag_secret] + ".d/secret-name1"
Chef::Config[:encrypted_data_bag_secret] + ".d/secret-name2"
…
Chef::Config[:encrypted_data_bag_secret] + ".d/secret-nameN"

Cheers,
Alexander