Getting started with Encrypted Secrets


#1

We’re just getting started with Chef Encrypted secrets, and we’ve read as much as we can find about encrypted data bags and Chef Vault. Vault seems much slicker, except for the manual vault refresh/update issue. Key delivery is obviously an issue with the native encrypted data bags piece, but we’ve done a proof-of-concept where that’s delivered via a compile-time remote_file resource task and makes things much easier.

Can anyone give me any more tips on how we should be thinking about this? We don’t want to limit our flexibility for things like autoscaling/automated builds of servers, as those are definitely use cases we’re targeting. We’re primary Windows as well, and working with a mix of on-prem VMWare, Azure, and AWS resources, if any of those unlock any slick ideas.

Thanks.
-Ray


#2

Go watch https://coderanger.net/talks/secrets/, that will get you mostly up to speed.

tl;dw Use Hashicorp Vault and work out your own Secure Introduction mechanism because there is no good solution there outside of AWS.


#3

And by AWS you mean something like a combo of S3, IAM roles, and EC2 instance profiles?


#4

HashiVault supports using the Instance Identity Document for authentication to get your initial token (i.e. SI) using IAM roles and a few other bits behind the scenes. For other cloud systems or rolling-your-own there is no specific identity crosslinking that I know of. I cover the general problem of SI at the end of the talk.


#5

I’m watching right now. Thanks for the feedback! Might have some questions afterwards. :smiley:


#6

I’ll dig into HashVault a little further. Wasn’t aware of this at this point.

Perhaps a n00b question - If I’m using a Chef recipe to deliver a symmatric key (talking just Encrypted data bags at this point), and my Chef client and Server already have an established public/private key relationship ensuring trust and authentication, wouldn’t that be ok in terms of Secure Introduction (SI)?


#7

Maybe? You used a lot of crypto words in a way that doesn’t make much sense. You could, in theory, build a key distribution system with an API that uses Chef’s authentication protocol. This has two problems though, first that you need to manage Chef client key pairs (but okay, most of us have accepted that knife bootstrap is fine for that). Second, no such service exists currently :slight_smile: I’ve got a post up over at my blog about making HashiVault work like that but that is also firmly vaporware so far.


#8

Haha.

I’ve got my symmetric key that I used to encrypt my data bag secret (an application password). I build a recipe that delivers that key to my target machines and stores it in a location protected by OS permissions, which can then be used to decrypt my encrypted data bag content.

Assuming we trust Chef’s client key pairs, and the authentication that provides, wouldn’t that be sufficient in terms of SI?


#9

@rayterrill, I have just recently done this for some of the cookbooks I am using.

Basically i have setup a Hashicorp Vault and using that to store the secrets in it.

All of the underlying cookbooks are using node.run_state which allows me to pass the password to the underlying cookbooks.

I then have a wrapper cookbook that handles the reading of hashicorp vault and sets the run_state. There is a ruby gem that i am using ‘vault’ which makes this easy.

With the use of run_state means i can swap the Hashicorp vault out if I find a problem and use any encryption.