Storing passwords in Chef?
Solution 1
From the #chef IRC channel, many people store this kind of data in a data bag on the chef server.
For example, a data bag might be 'aws', with an item 'main', referring to the primary AWS account. Separate keys in the item would be for each particular value. E.g.:
{
"id": "main",
"aws_secret_key": "The secret access key",
"aws_access_key": "The access key"
}
You may also be interested in encrypted data bags. I wrote about them in more detail for managing postfix SASL authentication.
Update: I've written blog posts about Chef Vault on my blog and sysadvent.
Solution 2
This question is old and has no accepted answer, however, the correct answer to this question is that Chef allows the use of Encrypted Data Bags for storing sensitive data in Data Bags.
Solution 3
I think Hashicorp's Vault is really promising as a way to dynamically retrieve encrypted information and leave behind some of the oddities of Chef workflow in this area.
This is an interesting post that starts to touch the subject. https://www.hashicorp.com/blog/using-hashicorp-vault-with-chef.html
Solution 4
The best practice is to keep keys and passwords in chef data_bags. A data bag contains databag items. Individual data_bag item are in json format.
For exmaple:
{
/* This is a supported comment style */
// This style is also supported
"id": "ITEM_NAME",
"key": "value"
}
Encrypt Data Bag Item: data bag item may be encrypted using shared secret encryption. This allows each data bag item to store confidential information (such as a database password or ssh keys) or to be managed in a source control system (without plain-text data appearing in revision history). This can be done as follow:
Crete Secret Keys: Create a secret key called encrypted_data_bag_secret for example
$ openssl rand -base64 512 | tr -d '\r\n' > encrypted_data_bag_secret
where encrypted_data_bag_secret is the name of the file which will contain the secret key
Encrypt the data_bag: A data bag item is encrypted using a knife command similar to:
$ knife data bag create passwords mysql --secret-file /tmp/my_data_bag_key
where “passwords” is the name of the data bag, “mysql” is the name of the data bag item, and “/tmp/my_data_bag_key” is the path to the location in which the file that contains the secret-key is locate
Verify Encryption: When the contents of a data bag item are encrypted, they will not be readable until they are decrypted. Encryption can be verified with a knife command similar to:
$ knife data bag show passwords mysql
Decrypt data Bag: An encrypted data bag item is decrypted with a knife command similar to:
$ knife data bag show --secret-file /tmp/my_data_bag_key passwords mysql
Solution 5
Chef Encrypted data_bags is indeed a legitimate solution. Adding to that, you can also use a ruby Gem that allows you to encrypt a Chef Data Bag Item using the public keys of a list of chef nodes. This allows only those chef nodes to decrypt the encrypted values. cf. https://github.com/Nordstrom/chef-vault
erikcw
Updated on June 06, 2022Comments
-
erikcw almost 2 years
What is the best practice for storing password and API keys with Chef? It's really tempting to store database passwords, AWS api keys, and other sensitive credentials as Chef Server Attributes for use in recipes -- but what about security considerations? What's the best practice for this?
-
StephenKing over 10 yearschef-vault is a great way to store passwords securely!
-
StephenKing over 8 yearsThis service has been discontinued.
-
user2066657 almost 6 yearsDidn't Noah pooh-pooh cryptobags in coderanger.net/data-bags as Code Smell ? (TL;DR - you'll have to share a secret to see the secrets)
