Chef should support simple encrypted data bags

Details

  • Type: New Feature New Feature
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 0.10.0
  • Component/s: Chef Client, Knife
  • Labels:
    None

Description

Motivation:

In order to automate the configuration of database servers, I need to
make my database password available to Chef recipes via a data bag.
However, I don't want to store the password in plain text. I expect
encrypted data bags to protect my passwords from a compromise of the
Chef server data, to allow me to version control my data bags without
checking in passwords, and to provide a mechanism to control which
servers in my infrastructure have access to passwords.

Goals:

  • Encrypt the values of data bag items, so that keys are still
    searchable.
  • Simple shared key encryption; users still have to solve the problem
    of key distribution.
  • Easy to access the decrypted data bag item values from recipes
  • Integration into the "knife data bag *" command line to support
    creating, editing, showing encrypted data bags.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Seth Falcon added a comment -

Some details on the feature proposal added to the wiki:
http://wiki.opscode.com/display/chef/Encrypted+Data+Bags

And implementation is here:
https://github.com/seth/chef/tree/CHEF-1945

Show
Seth Falcon added a comment - Some details on the feature proposal added to the wiki: http://wiki.opscode.com/display/chef/Encrypted+Data+Bags And implementation is here: https://github.com/seth/chef/tree/CHEF-1945
Hide
Permalink
Daniel DeLeo added a comment -

This is merged.

Show
Daniel DeLeo added a comment - This is merged.

People

  • Assignee:
    Seth Falcon
    Reporter:
    Seth Falcon
Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: