Encrypted Databags and Evironment


#1

Hello all. My team seems to have bumped up against an oddity when trying to use
encrypted databags to protect passwords. We have three environment files, which
define the various login credentials among other environment specific settings.
We wanted to remove the passwords from these environment files such that
chef-server no longer has clear text passwords stored on it. However, we
discovered that if we follow the suggestions documented by
http://wiki.opscode.com/display/chef/Encrypted+Data+Bags and use
Chef::EncryptedDataBagItem.load_secret() (in the environment file) our goal is
defeated - upon upload of the environment file (via ‘knife environment from
file’), the load_secret is executed at the time the command is run, thereby
downloading, decrypting and then uploading clear text passwords as part of the
environment. We expected the resolution of the load_secret() to be deferred
until the script runs on the client, as would happen if used in a recipe.

Is the above behavior by design or a bug?

Our proposed work around is going to be to move the load_secret() into the
recipes and base the key to load on something set by each environment.

Has anyone else tried to use encrypted databags in conjunction with
environments? If so, what did you find to be the best way to do this?

Thanks in advance for any advice.


#2

On Feb 24, 2012, at 12:53 PM, N8 wrote:

Our proposed work around is going to be to move the load_secret() into the
recipes and base the key to load on something set by each environment.

Has anyone else tried to use encrypted databags in conjunction with
environments? If so, what did you find to be the best way to do this?

We do our encrypted data bags exclusively in recipes, as demonstrated in the samples provided by jtimberman in his blog posts.


Brad Knowles bknowles@ihiji.com
SAGE Level IV, Chef Level 0.0.1


#3

I did something similar by making the environment names the top-level keys in the encrypted data bag. Then when you access the values in a recipe, the first key you use is node.chef_environment.

This is the first option described here: http://wiki.opscode.com/display/chef/Environments#Environments-DataBagsandEnvironments

Here’s an example lookup:

mysql_creds = Chef::EncryptedDataBagItem.load(“passwords”, “mysql”)
mysql_creds[node.chef_environment][‘password’]

HTH

Wes

On Feb 24, 2012, at 11:53 AM, N8 wrote:

Hello all. My team seems to have bumped up against an oddity when trying to use
encrypted databags to protect passwords. We have three environment files, which
define the various login credentials among other environment specific settings.
We wanted to remove the passwords from these environment files such that
chef-server no longer has clear text passwords stored on it. However, we
discovered that if we follow the suggestions documented by
http://wiki.opscode.com/display/chef/Encrypted+Data+Bags and use
Chef::EncryptedDataBagItem.load_secret() (in the environment file) our goal is
defeated - upon upload of the environment file (via ‘knife environment from
file’), the load_secret is executed at the time the command is run, thereby
downloading, decrypting and then uploading clear text passwords as part of the
environment. We expected the resolution of the load_secret() to be deferred
until the script runs on the client, as would happen if used in a recipe.

Is the above behavior by design or a bug?

Our proposed work around is going to be to move the load_secret() into the
recipes and base the key to load on something set by each environment.

Has anyone else tried to use encrypted databags in conjunction with
environments? If so, what did you find to be the best way to do this?

Thanks in advance for any advice.