PRIVATE KEY—— ... some stuff in a random key i made for examples -----END RSA PRIVATE KEY----- ! % knife show data_bags/secrets/mysql_root.json data_bags/secrets/mysql_root.json: { "id": "mysql_root", "password": "Now-we-re-getting-somewhere!" }
-h knife data bag from file BAG FILE|FOLDER [FILE|FOLDER..] (options) -s, --secret The secret key to use to encrypt data bag item values --secret-file SECRET_FILE A file containing the secret key to use to encrypt data bag item values
now we have a key distribution problem • how do we share the secret key with others? • oops. •There's no centralized point of control •The key lives on the systems that need it...
the protected data resides violates all of the core principles of data protection." ! - Patrick Townsend Townsend Security ! http://web.townsendsecurity.com/bid/23881/PCI-DSS-2-0- and-Encryption-Key-Management
(/etc/chef/client.pem) • Chef Server: Public RSA key • Chef Vault: Generates a Shared Secret • Chef Vault: Encrypts w/ Public Keys • API Clients (nodes) • Users • Search Query
an alternative for AWS / S3 • https://github.com/poise/citadel •Cheffish & Chef Metal • https://github.com/opscode/cheffish • https://github.com/opscode/chef-metal