Hello all. My team seems to have bumped up against an oddity when trying to use
encrypted databags to protect passwords. We have three environment files, which
define the various login credentials among other environment specific settings.
We wanted to remove the passwords from these environment files such that
chef-server no longer has clear text passwords stored on it. However, we
discovered that if we follow the suggestions documented by
http://wiki.opscode.com/display/chef/Encrypted+Data+Bags and use
Chef::EncryptedDataBagItem.load_secret() (in the environment file) our goal is
defeated - upon upload of the environment file (via ‘knife environment from
file’), the load_secret is executed at the time the command is run, thereby
downloading, decrypting and then uploading clear text passwords as part of the
environment. We expected the resolution of the load_secret() to be deferred
until the script runs on the client, as would happen if used in a recipe.
Is the above behavior by design or a bug?
Our proposed work around is going to be to move the load_secret() into the
recipes and base the key to load on something set by each environment.
Has anyone else tried to use encrypted databags in conjunction with
environments? If so, what did you find to be the best way to do this?
Thanks in advance for any advice.