Chef 0.10 Preview: Encrypted Data Bags
Many server roles, such as databases, require setting up passwords as
part of their configuration. A common pattern is to put such
passwords in a data bag stored on the Chef server. Recipes can then
access the data bag to automate the configuration.
A downside of this approach is that passwords are stored in plain text
on the Chef server and also within your version control system if you
use one to manage your cookbooks, roles, and data bags.
In Chef 0.10, you can use Encrypted Data Bags to reduce the exposure
of sensitive data stored in data bags to the servers that need it
for their configuration and the operators that need to modify it.
Here’s what you need to know about encrypted data bags before we jump
into a few examples:
Before we can create an Encrypted Data Bag, we need a secret key.
We’ll use openssl
to generate a random secret.
[sourcecode]$ openssl rand -base64 512 > secret_key
[/sourcecode]
Now we can create an encrypted data bag item within the “prod” data
bag:
[sourcecode]$ knife data bag create –secret-file ./secret_key prod passwords
# edited data bag item in editor and saved
Created data_bag[prod]
Created data_bag_item[passwords]
[/sourcecode]
(Note: there are 2 dashes (-) before secret in the above command)
This will pop open your editor. Here’s what I filled in for the example:
[sourcecode]{
"id": "passwords",
"mysql": "open-sesame-123",
"rabbitmq": "open-queue-123"
}
[/sourcecode]
Let’s take a look at the result without decrypting (if you are
following along, your values will depend on the secret used):
[sourcecode]$ knife data bag show prod passwords
id: passwords
mysql: xtSxLvqHqPP1gHsqP5SlytFtDIfpWMJebJ2aZPd0mGU=
rabbitmq: wVcK/OboqpRcfF5fOKlEHKz2ev7CxSrBsoCwWo9Jcko=
[/sourcecode]
To see the decrypted values, specify the secret key:
[sourcecode]$ knife data bag show –secret-file=./secret_key prod passwords
id: passwords
mysql: open-sesame-123
rabbitmq: open-queue-123
[/sourcecode]
(Note: there are 2 dashes (-) before secret in the above command)
Next, we’ll look at how to use encrypted data bags within recipes for
node configuration.
Recipes can access decrypted values usingChef::EncryptedDataBagItem.load
. If you don’t specify a shared
secret when calling the load
method, Chef will look for a file based
on the value of the Chef::Config[:encrypted_data_bag_secret]
config
entry (which you can set for a node via /etc/chef/client.rb). The
default value is /etc/chef/encrypted_data_bag_secret
.
To demonstrate the use of encrypted data bags on a node, we’ll start
by copying the secret_key
file created above to our example node
using scp and moving it to /etc/chef/encrypted_data_bag_secret
.
[sourcecode]scp ./secret_key $MY_NODE_IP:~/
ssh $MY_NODE_IP
sudo mv ./secret_key /etc/chef/encrypted_data_bag_secret
[/sourcecode]
Next, we’ll create a recipe that will log the decrypted values for
demonstration purposes (if these were real secrets, you would want to
avoid logging them).
[sourcecode]knife cookbook create edb_demo
[/sourcecode]
Now edit cookbooks/edb_demo/recipes/default.rb
so that it contains
the following:
[sourcecode lang=”ruby”]# cookbooks/edb_demo/recipes/default.rb
passwords = Chef::EncryptedDataBagItem.load("prod", "passwords")
mysql = passwords["mysql"]
Chef::Log.info("The mysql password is: ‘#{mysql}’")
[/sourcecode]
Finally, upload the cookbook and run chef-client on the node. You
should see something like this:
[sourcecode]knife cookbook upload edb_demo
# output clipped
knife ssh name:i-8a436fe5 -a ec2.public_hostname ‘sudo chef-client’
INFO: *** Chef 0.10.0.rc.2 ***
INFO: Run List is
As you can see, the recipe was able to decrypt the values in the
encyrpted data bag. It did so by using the shared secret located in
the default location of /etc/chef/encrypted_data_bag_secret
.
Encrypted Data Bags are an easy way to add a layer of security to
protect sensitive configuration data like passwords and cloud
credentials. You can use knife
to create and view encrypted data
bags. By placing the shared secret in a known location on a node, you
can allow the node to access the protected data via a recipe. You can
learn more about Encrypted Data Bags and some of the additional
options they support on the Chef Wiki