How to secure sensitive data using Chef Vault
Audio : Listen to This Blog.
Data Bags vs Chef Vault
Chef provides two solutions for solving this problem. One is Data Bags which we have been using for long. This blog, however, talks about another data bag which is also a more secure option- Chef Vault.
The basic idea used for keeping your secrets safe is same in both and that is to encrypt data. But encrypted data bag item can be decrypted on any server if its secret key is available. However in case of Chef Vault, data can be decrypted using the public key of only those servers for which it is meant to be. That’s why Chef Vault is considered secure.
Chef Vault
Chef Vault is a gem which is used to save your data in an encrypted form. You will have to install this gem on your workstation for encrypting data. This gem also needs to be installed on all the nodes where you would be decrypting the data.
$ gem install chef-vault
Command Line
$ knife encrypt create [VAULT] [ITEM] [VALUES] $ knife decrypt [VAULT] [ITEM] [VALUES]
$ knife vault [SUBCOMMAND] [VAULT] [ITEM] [VALUES] --mode MODE --search SEARCH --admins ADMINS
Command Options
- –mode: Possible values are Solo and Client. It’s very important to specify mode because mode decides where the encrypted data bag will be saved. If you have a chef-server then the mode will be Client otherwise mode will be For Solo mode you need to specify data_bag_path in knife.rb file where data bags will be stored on your local workstation.
- –search: As I mentioned earlier that a chef vault item can be decrypted only by the public key of those servers for which it is meant to be. This is one of the options that ensures this. In —search option you can specify a SOLRsearch query. e.g –search “role:webserver”. In this case only the servers with role webserver will be able to decrypt the vault data.
- –admins: Here you can specify the admin users who can decrypt the chef vault data.
- —json: Instead of specifying each option separately, a json file can also be used that is specifying mode, search and admins
Vault Create
$ knife vault create secrets database '{"username": "root", "password": "mypassword"}' -S "role:dbserver" -A "admin1,admin2"
You can check the vault created under data bags on your chef server if the mode is Client. For Solo mode, a vault will be created at the path specified in data_bag_path in knife.rb.
Make sure that a node is existing with role dbserver or with user admin1 or admin2 before creation of the vault. Only then the vault data will be encrypted using the public keys of the node matching the above options. Or else, the vault data can’t be decrypted on any node.
Vault Update
$ knife vault update secrets database '{"username": "new_user", "password": "newpassword"}' -S "role:dbserver1" -A "admin1,admin3"
Vault Remove
$ knife vault remove secrets database '{"username": "root", "password": "mypassword"}'
We can also remove just the admins from the encrypted admins for the vault secrets and item database.
$ knife vault remove secrets database -A "admin1,admin2"
Vault Delete
$ knife vault delete secrets database
Vault Show
$ knife vault show secrets $ knife vault show secrets database $ knife vault show secrets database "username,password"
Vault in recipes
chef_gem 'chef-vault' do
compile_time false
end
require 'chef-vault'
item = ChefVault::Item.load("secrets", "database")
item["password"]