Information Technology Reference
In-Depth Information
$
knife data bag show api_keys payment \
--secret-file encrypted_data_bag_secret
api_key: 592c879e-f37d-43e6-8b54-8c2d97cf04d4
id: payment_system
There is one problem with using encrypted data bags for which Chef Software does not
provide a built-in solution. How does a node get the secret key? In order for the node to de-
crypt the secret, it must have a copy of the shared key. Unfortunately, there is no central
place to access encrypted keys, as storing encryption keys on the same system where the data
resides violates all the core principles of computer security. So when you use encrypted data
bags, you must find a solution to the key distribution problem.
Luckily there is a solution to this key distribution issue, which we'll cover in the next sec-
tion. It's called
chef-vault
, and it is included with the Chef Development Kit.
chef-vault
Kevin Moser came up with idea for
chef-vault
in 2013 while working at Nordstrom. Kevin
devised a clever solution to the key distribution issue for encrypted data bags by reusing the
public/private key pairs Chef already uses for nodes to implement a key encapsulation
scheme. When the data bag item is created, a shared key is generated on the node. Then, for
each node that needs access to it, the shared key is encrypted with the node's public key, cre-
ating an encrypted version of the shared key in an encapsulated payload. This encrypted ver-
sion of the key is stored on Chef Server.
For those using Chef Client, you will need to install an additional gem to use
chef-vault
. Run
the following to install the
chef-vault
gem:
$
sudo gem install chef-vault --no-ri --no-rdoc
If you're using the Chef Development Kit, you're fine, this Ruby gem has already been installed
for you.
Before we can play with
chef-vault
in our
chef-playground
setup, we need to register a
legitimate client key for our
devhost
node with the
chef-zero
server.
