In order to automate the configuration of database servers, I need to
make my database password available to Chef recipes via a data bag.
However, I don't want to store the password in plain text. I expect
encrypted data bags to protect my passwords from a compromise of the
Chef server data, to allow me to version control my data bags without
checking in passwords, and to provide a mechanism to control which
servers in my infrastructure have access to passwords.
- Encrypt the values of data bag items, so that keys are still
- Simple shared key encryption; users still have to solve the problem
of key distribution.
- Easy to access the decrypted data bag item values from recipes
- Integration into the "knife data bag *" command line to support
creating, editing, showing encrypted data bags.