How Secure is an encrypted data bag, really?


#1

If an attacker gains access to the chef server, can they not alter cookbook code that chef clients eventually run to obtain the data bag decryption keys this way? Is there any protection against this? If not, are there still scenarios where the encryption does add value?


#2

Mostly you chef repo will not contain private info if you use encrypted data bags wisely. This allows you to share it with everyone with little concern they are going to get sensitive information.

Joshua


Joshua Miller
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)

On Thursday, October 3, 2013 at 10:23 PM, Bryan Taylor wrote:

If an attacker gains access to the chef server, can they not alter cookbook code that chef clients eventually run to obtain the data bag decryption keys this way? Is there any protection against this? If not, are there still scenarios where the encryption does add value?


#3

The question is really about encrypted vs regular data bags. I’m trying to find a scenario where someone can view an unencrypted data bag without being able to change cookbook contents. Unless there are such scenarios, I don’t see any benefit to encrypting the data in a data bag.

From: Joshua Miller <jassinpain@gmail.commailto:jassinpain@gmail.com>
Date: Friday, October 4, 2013 12:25 AM
To: Bryan Taylor <btaylor@rackspace.commailto:btaylor@rackspace.com>
Cc: "chef-dev@lists.opscode.commailto:chef-dev@lists.opscode.com Dev" <chef-dev@lists.opscode.commailto:chef-dev@lists.opscode.com>
Subject: Re: [chef-dev] How Secure is an encrypted data bag, really?

Mostly you chef repo will not contain private info if you use encrypted data bags wisely. This allows you to share it with everyone with little concern they are going to get sensitive information.

Joshua


Joshua Miller
Sent with Sparrowhttp://www.sparrowmailapp.com/?sig

On Thursday, October 3, 2013 at 10:23 PM, Bryan Taylor wrote:

If an attacker gains access to the chef server, can they not alter cookbook code that chef clients eventually run to obtain the data bag decryption keys this way? Is there any protection against this? If not, are there still scenarios where the encryption does add value?


#4

Most of our dev team has full read access to our Chef repo so they can see how things work, only a few have access to the chef server production ORG on the private server . This allows them to see all the chef repo with roles,cookbooks,and data bags and submit pull request without exposing our data to them. Now if you don’t keep data bags in your chef repo or you break it out then yes it may of limited use. Although if your using hosted or private chef you could use the ACL and allow people to read the current info on the chef server but not be able to edit them. This would mean encrypted data bags would be very useful to keep things like license keys locked down as they would not be able to see the contents of that data.


Joshua SS Miller

On Thursday, October 3, 2013 at 11:26 PM, Bryan Taylor wrote:

The question is really about encrypted vs regular data bags. I’m trying to find a scenario where someone can view an unencrypted data bag without being able to change cookbook contents. Unless there are such scenarios, I don’t see any benefit to encrypting the data in a data bag.

From: Joshua Miller <jassinpain@gmail.com (mailto:jassinpain@gmail.com)>
Date: Friday, October 4, 2013 12:25 AM
To: Bryan Taylor <btaylor@rackspace.com (mailto:btaylor@rackspace.com)>
Cc: "chef-dev@lists.opscode.com (mailto:chef-dev@lists.opscode.com) Dev" <chef-dev@lists.opscode.com (mailto:chef-dev@lists.opscode.com)>
Subject: Re: [chef-dev] How Secure is an encrypted data bag, really?

Mostly you chef repo will not contain private info if you use encrypted data bags wisely. This allows you to share it with everyone with little concern they are going to get sensitive information.

Joshua


Joshua Miller
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)

On Thursday, October 3, 2013 at 10:23 PM, Bryan Taylor wrote:

If an attacker gains access to the chef server, can they not alter cookbook code that chef clients eventually run to obtain the data bag decryption keys this way? Is there any protection against this? If not, are there still scenarios where the encryption does add value?


#5

The specific protection you get from encrypted data bags is just is the database of the server is disclosed, they can’t get the encrypted info. This is a very specific, but useful, bit of cryptographic safety, but thats basically all you get (you can go a bit further if you want to check them into source control and apply the same logic to your SCM). As you noted, an actively hostile Chef server is a 100% game over scenario because it is shipping executable code to be run as root (usually) on your servers. If you want some different security assurances, you could check out chef-vault, though it still can’t protect against a hostile Chef server.

–Noah

On Oct 3, 2013, at 10:23 PM, Bryan Taylor btaylor@rackspace.com wrote:

If an attacker gains access to the chef server, can they not alter cookbook code that chef clients eventually run to obtain the data bag decryption keys this way? Is there any protection against this? If not, are there still scenarios where the encryption does add value?


#6

Ok, good. I do see the DB as very valueable to remove from the risk profile, both from the DBAs and from unauthorized users connecting with stolen credentials. I can do intrusion detection, 2 factor auth, and file integrity checks on the chef server, to protect it.

Sent from my iPhone

On Oct 4, 2013, at 3:55 AM, “Noah Kantrowitz” noah@coderanger.net wrote:

The specific protection you get from encrypted data bags is just is the database of the server is disclosed, they can’t get the encrypted info. This is a very specific, but useful, bit of cryptographic safety, but thats basically all you get (you can go a bit further if you want to check them into source control and apply the same logic to your SCM). As you noted, an actively hostile Chef server is a 100% game over scenario because it is shipping executable code to be run as root (usually) on your servers. If you want some different security assurances, you could check out chef-vault, though it still can’t protect against a hostile Chef server.

–Noah

On Oct 3, 2013, at 10:23 PM, Bryan Taylor btaylor@rackspace.com wrote:

If an attacker gains access to the chef server, can they not alter cookbook code that chef clients eventually run to obtain the data bag decryption keys this way? Is there any protection against this? If not, are there still scenarios where the encryption does add value?


#7

If your chef server is compromised, you’re hosed. They could potentially gain access to any databags, as well as being able to run arbitrary code on any node that has converged since the server was compromised. Depending on what nodes are being managed on your network, this could lead to a complete compromise of your environment.

As far as I know there is no protection against this. The server is, by definition, the authoritative source of cookbooks, databags, etc. If your chef server is compromised, you’re hosed.

You may be able to mitigate this risk somewhat by keeping another “reference” copy of things elsewhere and having a script that repeatedly compares what is on the chef server against that reference.

Best bet is all of the stuff you should be doing with any sensitive asset: restricting physical and network access, rotating strong passwords, network compartmentalization, regular audits, log monitoring, etc, etc.

-Pete

On Oct 3, 2013, at 10:23 PM, Bryan Taylor btaylor@rackspace.com wrote:

If an attacker gains access to the chef server, can they not alter cookbook code that chef clients eventually run to obtain the data bag decryption keys this way? Is there any protection against this? If not, are there still scenarios where the encryption does add value?