In my current project, I am working for securing passwords required for
chef automation scripts.
I would like to share my approach and require inputs & suggestions, so
that I can implement this in a better way.
I would like to have a passowrd.json in my chef deployment cookbooks
that will provides an inventory for all password parameters required by
the dependent cookbooks along with the meta-data required to populate an
encrypted data bag with actual password values.
The password_meta.json files includes only the metadata for the
passwords and not the actual passwords.
The parameter values will be fetched at run time and stored
temporarily in an encrypted data bag so that they may be accessed by the
once the cookbook has been executed/end of chef run, the encrypted data
bag and the SSH key will be deleted.
would like to know inputs and suggestions on this approach or is there any
better approach to secure password??
Thanks & Regards,