Encrypted Data Bags - Multiple Secrets?

Alexander_Skwar · January 23, 2017, 2:04pm

Hi

(Using chef zero 12.3.0 on Ubuntu 16.04.)

With encrypted data bags, every data bag item might be encrypted with a different secret. Okay.

The data bags documentation and also the source code of encrypted_data_bag_item.rb show only one configuration parameter for the secret:

# If the shared secret is not specified at initialization or load,
# then the contents of the file referred to in
# Chef::Config[:encrypted_data_bag_secret] will be used as the
# secret.  The default path is /etc/chef/encrypted_data_bag_secret

Do you guys actually use multiple secrets on one chef node? If so, how do you actually use it? I mean, how and where do you store the secrets? Something like this?

Chef::Config[:encrypted_data_bag_secret] + ".d/secret-name1"
Chef::Config[:encrypted_data_bag_secret] + ".d/secret-name2"
…
Chef::Config[:encrypted_data_bag_secret] + ".d/secret-nameN"

Cheers,
Alexander

Topic		Replies	Views
Using multiple keys to read different encrypted databags on the same node Chef Infra (archive)	0	248	November 2, 2011
Suggested patch to chef to enable passing the data bag secret to a node, bypassing storage on the server Chef Infra (archive)	0	252	November 7, 2011
Data Bag Secret Key Strategy with Chef-Solo Feedback Chef Infra (archive)	0	278	February 13, 2014
Backup secrets when using chef-vault Chef Infra (archive)	0	334	December 6, 2013
Auto copy encrypted_data_bag_secret on the node not working Chef Infra (archive)	1	607	January 29, 2013

Encrypted Data Bags - Multiple Secrets?

Related Topics