When you are using the encrypted data bag feature for Chef how do you go about deploying the key to many servers? If you put it into a recipe anyone who has access to any of the chef servers or clients can pull the key and potentially decrypt any of the databags.
How do you go about ensuring that the key is on the machines that need it, but also safe from anyone snooping around?
Best Answer
Unfortunately there isn't really a lot you can do as the key needs to be somewhere on the Chef node in plain-text. If someone has shell or local access to the box then it might be possible for them to read the key(s).
To mitigate things a bit I add the following to my basenode (i.e some recipe or role that is common to all nodes):
and whatever key distribution mechanism you have puts keys in that location. The permissions and ownership prevents reading of the keys if someone forgets to put the correct permissions on a key file.
As I see it encrypted data bags are more to protect key material from being readable in a source control system, and less as a security feature on Chef nodes themselves.