Suggested patch to chef to enable passing the data bag secret to a node, bypassing storage on the server

These patches are all reversed (sorry, I’m just patching gems right now, I
haven’t fixed anything in git). I’m sending this way because, well, for
the moment this mailing list is my revision control.


Using encrypted databags are nice, but if we want fully automated
installation then there needs to be a way to get encrypted keys from a
server which may not be trusted (e.g. hosted chef) to a client. Encrypted
databags make this possible, but this only works if the client can decrypt
the values that they need.

This allows the knife config file on the client to contain a new variable:
“data_bag_keyfile”. If this is defined, then it will be read used in the
same way as “validation_key”. Its pathname will be expanded, and when this
config is referenced it will write out the contents of the
data_bag_keyfile. Example usage (in this case, in ubuntu10.04-basic.erb):

The below relies on the config parameter “data_bag_keyfile” existing in


knife config. This allows secrets to be stored on a less trusted server.

echo -e "date \n\n**** \n**** Knifing in the chef data bag secret
cat <<‘EOP’
<%= data_bag_keyfile %>
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
chmod 600 /etc/chef/encrypted_data_bag_secret

As-is, this patch will probably break when knifing a server if the path
referred to isn’t present. Since this is a new config this is not ideal,
but it’s a proof of concept and working for me at the moment.

2011-11-07 15:09:55.000000000 -0500
2011-09-27 18:13:42.000000000 -0400
@@ -50,10 +50,6 @@[:validation_key])

  •    def data_bag_keyfile
  •    end
  •    def config_content
         client_rb = <<-CONFIG

log_level :info


— /Users/pn/gems/gems/chef-0.10.4/lib/chef/config.rb 2011-11-07
16:17:46.000000000 -0500
+++ /Users/pn/gems/gems/chef-0.10.4/lib/chef/config.rb~ 2011-09-27
18:13:42.000000000 -0400
@@ -203,7 +203,6 @@
client_key "/etc/chef/client.pem"
validation_key "/etc/chef/validation.pem"
validation_client_name “chef-validator”

  • data_bag_keyfile "/etc/chef/encrypted_data_bag_secret"
    web_ui_client_name "chef-webui"
    web_ui_key "/etc/chef/webui.pem"
    web_ui_admin_user_name “admin”

and (reversed)

— /Users/pn/gems/gems/chef-0.10.4//lib/chef/knife/configure.rb
2011-11-07 17:26:25.000000000 -0500
+++ /Users/pn/gems/gems/chef-0.10.4//lib/chef/knife/configure.rb~
2011-09-27 18:13:42.000000000 -0400
@@ -23,7 +23,6 @@
class Configure < Knife
attr_reader :chef_server, :new_client_name, :admin_client_name,
attr_reader :chef_repo, :new_client_key, :validation_client_name,

  •  attr_reader :data_bag_keyfile
     deps do
       require 'ohai'