How to secure sensitive data using Chef Vault

Nimisha Sharad Sep 23 - 4 min read

Audio : Listen to This Blog.

Data Bags vs Chef Vault

Chef provides two solutions for solving this problem. One is Data Bags which we have been using for long. This blog, however, talks about another data bag which is also a more secure option- Chef Vault.
The basic idea used for keeping your secrets safe is same in both and that is to encrypt data. But encrypted data bag item can be decrypted on any server if its secret key is available. However in case of Chef Vault, data can be decrypted using the public key of only those servers for which it is meant to be. That’s why Chef Vault is considered secure.

Chef Vault

Chef Vault is a gem which is used to save your data in an encrypted form. You will have to install this gem on your workstation for encrypting data. This gem also needs to be installed on all the nodes where you would be decrypting the data.

$ gem install chef-vault

Command Line

Previously the commands used to be like this:
$ knife encrypt create [VAULT] [ITEM] [VALUES]
$ knife decrypt [VAULT] [ITEM] [VALUES]
But they have been deprecated now. The new command structure looks like this:
$ knife vault [SUBCOMMAND] [VAULT] [ITEM] [VALUES] --mode MODE --search SEARCH --admins ADMINS

Command Options

  • –mode: Possible values are Solo and Client. It’s very important to specify mode because mode decides where the encrypted data bag will be saved. If you have a chef-server then the mode will be Client otherwise mode will be For Solo mode you need to specify data_bag_path in knife.rb file where data bags will be stored on your local workstation.
  • –search: As I mentioned earlier that a chef vault item can be decrypted only by the public key of those servers for which it is meant to be. This is one of the options that ensures this. In —search option you can specify a SOLRsearch query. e.g –search “role:webserver”. In this case only the servers with role webserver will be able to decrypt the vault data.
  • –admins: Here you can specify the admin users who can decrypt the chef vault data.
  • —json: Instead of specifying each option separately, a json file can also be used that is specifying mode, search and admins

Vault Create

$ knife vault create secrets database '{"username": "root", "password": "mypassword"}' -S "role:dbserver" -A "admin1,admin2"
This will create a vault named secrets and put an item named database with the given values of username and password. This data is encrypted for the clients role:dbserver and admins admin1, admin2.
You can check the vault created under data bags on your chef server if the mode is Client. For Solo mode, a vault will be created at the path specified in data_bag_path in knife.rb.
Make sure that a node is existing with role dbserver or with user admin1 or admin2 before creation of the vault. Only then the vault data will be encrypted using the public keys of the node matching the above options. Or else, the vault data can’t be decrypted on any node.

Vault Update

$ knife vault update secrets database '{"username": "new_user", "password": "newpassword"}' -S "role:dbserver1" -A "admin1,admin3"
The vault item values and it’s options can be modified with the help of this command.

Vault Remove

$ knife vault remove secrets database '{"username": "root", "password": "mypassword"}'
This will remove the values in username and password from the vault secrets and item database.
We can also remove just the admins from the encrypted admins for the vault secrets and item database.
$ knife vault remove secrets database -A "admin1,admin2"

Vault Delete

$ knife vault delete secrets database
This will delete the item database from vault secrets.

Vault Show

$ knife vault show secrets
$ knife vault show secrets database
$ knife vault show secrets database "username,password"

Vault in recipes

Once we are done creating the vault items, next step is how to use this data in our recipes. The code below explains that:
chef_gem 'chef-vault' do
compile_time false
require 'chef-vault'
item = ChefVault::Item.load("secrets", "database")

Leave a Reply

MSys rescued one of our biggest clients by conflating DevOps and Containerization, powered by Automation. The application downtime, prevalent during the release cycle slumbered down by 100 percent. To learn the whole story download our success story on “MSys DevOps and Containerization Solutions Help Fast-Food Giant to Achieve Zero Downtime Deployment”