Where to keep the secret-file or secret text for data bags


#1

Where do you prefer to store the secret-key? Here are my problems on where to
store the key.

  1. Storing it in chef seems kind of ridiculous because you seem to lose the
    point of security. Having the key kept on the same box as your encrypted data
    defeats the purpose unless I am missing something. If you do store it in Chef
    where do you put it in a data bag.

  2. Storing it as a file on the chef client means you would need to have a
    snapshot of that instance when you go to deploy a new server instance.

  3. Keeping it as an attribute in your cookbook seems like it might be the
    best choice. Even though the key is now stored as plain text in your cookbook
    and also in your Chef server.

Advance thanks for helping me in trying to determine where I need to keep my
key.


#2

On Oct 14, 2014, at 7:38 AM, Adam adam.barrand@gmail.com wrote:

Where do you prefer to store the secret-key? Here are my problems on where to
store the key.

  1. Storing it in chef seems kind of ridiculous because you seem to lose the
    point of security. Having the key kept on the same box as your encrypted data
    defeats the purpose unless I am missing something. If you do store it in Chef
    where do you put it in a data bag.

  2. Storing it as a file on the chef client means you would need to have a
    snapshot of that instance when you go to deploy a new server instance.

  3. Keeping it as an attribute in your cookbook seems like it might be the
    best choice. Even though the key is now stored as plain text in your cookbook
    and also in your Chef server.

Advance thanks for helping me in trying to determine where I need to keep my
key.

If you are using encrypted data bags to any actual effect, the key must be managed out of band from Chef itself. The simplest option is to use knife bootstrap to distribute the key directly from your workstation, though this makes key rotation difficult. Otherwise you get effectively no benefit (aside from possibly encrypting data in git). Check out https://coderanger.net/chef-secrets/ for a summary of your options.

–Noah