Encrypted databag local management


#1

So at my day job, we’re making an effort to pull passwords out of the
source code and CI environment and centralize them into encrypted data bags
which are then translated into config files for the various scripts and
services we use.

I was wondering if there is a local-only workflow for this which does not
involve knife talking to a Chef server. Basically, where knife edit would
provide a decryption piece for the file contents and then encrypt them when
the editor is closed. I’m thinking this because I want to ensure that the
JSON files are the authoritative source being pushed into the Chef server,
not random knife clients talking to Chef, and also so that the users
shouldn’t even need to configure Knife to talk to a Chef server in the
first place.

Any thoughts about how best to handle this kind of scenario? I can
elaborate as needed on any unclear points.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS


#2

If you are looking to edit/create encrypted data bags locally I would look
at either chef-zero or knife solo. I think there is a local mode of knife
that might work too. Hope that helps. Not sure if that is what you were
looking for.
On Dec 15, 2013 10:24 AM, “Morgan Blackthorne” stormerider@gmail.com
wrote:

So at my day job, we’re making an effort to pull passwords out of the
source code and CI environment and centralize them into encrypted data bags
which are then translated into config files for the various scripts and
services we use.

I was wondering if there is a local-only workflow for this which does not
involve knife talking to a Chef server. Basically, where knife edit would
provide a decryption piece for the file contents and then encrypt them when
the editor is closed. I’m thinking this because I want to ensure that the
JSON files are the authoritative source being pushed into the Chef server,
not random knife clients talking to Chef, and also so that the users
shouldn’t even need to configure Knife to talk to a Chef server in the
first place.

Any thoughts about how best to handle this kind of scenario? I can
elaborate as needed on any unclear points.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we
are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS


#3

I’ve been using this for awhile now https://gist.github.com/tabolario/6512068

Essentially it let’s you use a rake task (I called it chef:data_bags:encrypted) to edit encrypted data bags locally so you can commit them to your repo. There’s a couple downsides I’ve found when working with the rest of the team on this. Obviously you still need to remember to run knife data bag from file after you edit one of these, and you also need to be aware of other people working on the same data bag since the files can’t be merged.

On Dec 15, 2013, at 11:23 AM, Morgan Blackthorne stormerider@gmail.com wrote:

So at my day job, we’re making an effort to pull passwords out of the source code and CI environment and centralize them into encrypted data bags which are then translated into config files for the various scripts and services we use.

I was wondering if there is a local-only workflow for this which does not involve knife talking to a Chef server. Basically, where knife edit would provide a decryption piece for the file contents and then encrypt them when the editor is closed. I’m thinking this because I want to ensure that the JSON files are the authoritative source being pushed into the Chef server, not random knife clients talking to Chef, and also so that the users shouldn’t even need to configure Knife to talk to a Chef server in the first place.

Any thoughts about how best to handle this kind of scenario? I can elaborate as needed on any unclear points.


~~ StormeRider ~~

“Every world needs its heroes […] They inspire us to be better than we are. And they protect from the darkness that’s just around the corner.”

(from Smallville Season 6x1: “Zod”)

On why I hate the phrase “that’s so lame”… http://bit.ly/Ps3uSS