Where do you prefer to store the secret-key? Here are my problems on where to
store the key.
Storing it in chef seems kind of ridiculous because you seem to lose the
point of security. Having the key kept on the same box as your encrypted data
defeats the purpose unless I am missing something. If you do store it in Chef
where do you put it in a data bag.
Storing it as a file on the chef client means you would need to have a
snapshot of that instance when you go to deploy a new server instance.
Keeping it as an attribute in your cookbook seems like it might be the
best choice. Even though the key is now stored as plain text in your cookbook
and also in your Chef server.
Advance thanks for helping me in trying to determine where I need to keep my
key.
Where do you prefer to store the secret-key? Here are my problems on where to
store the key.
Storing it in chef seems kind of ridiculous because you seem to lose the
point of security. Having the key kept on the same box as your encrypted data
defeats the purpose unless I am missing something. If you do store it in Chef
where do you put it in a data bag.
Storing it as a file on the chef client means you would need to have a
snapshot of that instance when you go to deploy a new server instance.
Keeping it as an attribute in your cookbook seems like it might be the
best choice. Even though the key is now stored as plain text in your cookbook
and also in your Chef server.
Advance thanks for helping me in trying to determine where I need to keep my
key.
If you are using encrypted data bags to any actual effect, the key must be managed out of band from Chef itself. The simplest option is to use knife bootstrap to distribute the key directly from your workstation, though this makes key rotation difficult. Otherwise you get effectively no benefit (aside from possibly encrypting data in git). Check out Secrets Management and Chef – Noah Kantrowitz for a summary of your options.