Migrating Chef Solo Secrets Policy to Chef Server


I’d like to share some thoughts on my Chef Solo secrets policy and would
appreciate any feedback.

I’m planning to migrate a 7 server Chef Solo configuration management
process to Chef Server (hosted at chef).

For each of the 7 servers on this project this is what I do.

  1. Upload via scp chef_secret_key.txt to ~/.ssh/chef_secret_key.txt

  2. knife solo cook --forward-agent --no-chef-check --no-berkshelf

  3. remove chef_secret_key.txt via ssh

When Chef client runs on a server the recipes decrypt databags using the
password from ~/.ssh/chef_secret_key.txt

At the end of the run the password file is removed.

Those 3 steps I have wrapped in a custom Thor script, in practice I just
issue a command like

./devops.rb cook --user ubuntu --hostname web01.prd.nyc.example.com

So that all works fine.

Each Chef solo run though needs to upload about 8MB. So that’s 7 x 8MB for
every run.

This has worked fine but it’s a little slow as I’m on an island in Sth.
East Asia - tropical life :slight_smile:

Migrating to Chef Server I’d like to not have to refactor too much.

I think my only real option is to boostrap the servers with
~/.ssh/chef_secret_key.txt and leave it there all the time.

It would mean if the server ever gets owned by an intruder they’d be able
to decrypt the chef data bags.

I think that’s going to be part of the trade off from Chef Solo to Chef

Any thoughts or feedback would be much appreciated.