First step towards Password Management


#1

Hi All,

In my current project, I am working for securing passwords required for

chef automation scripts.
I would like to share my approach and require inputs & suggestions, so
that I can implement this in a better way.

I would like to have a passowrd.json in my chef deployment cookbooks

that will provides an inventory for all password parameters required by
the dependent cookbooks along with the meta-data required to populate an
encrypted data bag with actual password values.
The password_meta.json files includes only the metadata for the
passwords and not the actual passwords.

The parameter values will be fetched at run time and stored

temporarily in an encrypted data bag so that they may be accessed by the
cookbooks.

once the cookbook has been executed/end of chef run, the encrypted data

bag and the SSH key will be deleted.

would like to know inputs and suggestions on this approach or is there any
better approach to secure password??

Thanks & Regards,
Sachin Gupta