Configuration management contains information that shouldn’t be floating all over the place in plain text (like your root db credentials).

Within Chef, metadata can be stored in a role, cookbook, attribute or data bag. Although, only a data bag can be encrypted, making them perfect for storing sensitive information.

If you are using knife solo you will need the following plugin installed to get started:

gem install knife-solo_data_bag

Next, set an editor environment variable. So knife can spin up your text editor of choice when editing encrypted data bags:

vim .bash_profile
EXPORT editor=vim

A key (password) locks and unlocks your encrypted data bag. I like to defined this in a file named ‘data_bag_key’:

echo “super secret password” > data_bag_key

Make sure you include your data_bag_key file as part of your .gitignore file. No point in locking everything up, if you end up taping the key to the front of the lock.

To create an encrypted data bag with the knife command:

knife solo data bag create credentials production --secret-file 'data_bag_key'

Editing an encrypted data bag is also done with the knife command:

knife solo data bag edit credentials production --secret-file 'data_bag_key'

Viewing encrypted information in done with:

knife solo data bag show credentials production --secret-file 'data_bag_key'

Using encrypted data bag information within your cookbooks is a little more involved. So I created a little utility credentials cookbook to make things easier. Place ‘recipe[credentials]’ at the start of your run_list to decrypt the credentials data bag. The resulting metadata is automatically added to the node attributes.

With some sensible data bag naming, cookbook default attributes (like passwords) can be overridden.


You can join the conversation on Twitter, Instagram, or Patreon.