We’re just getting started with Chef Encrypted secrets, and we’ve read as much as we can find about encrypted data bags and Chef Vault. Vault seems much slicker, except for the manual vault refresh/update issue. Key delivery is obviously an issue with the native encrypted data bags piece, but we’ve done a proof-of-concept where that’s delivered via a compile-time remote_file resource task and makes things much easier.
Can anyone give me any more tips on how we should be thinking about this? We don’t want to limit our flexibility for things like autoscaling/automated builds of servers, as those are definitely use cases we’re targeting. We’re primary Windows as well, and working with a mix of on-prem VMWare, Azure, and AWS resources, if any of those unlock any slick ideas.