Based in San Francisco Bay Area, Securesql is a blog by John Menerick. His insights dissect complex systems, offering a masterclass in cyber guardianship through expert analysis and cutting-edge protective strategies.

Chef Encrypted Bags

John Menerick

When I am writing new orchetration and automation, I run into a common issue.  How do I keep my credentials confidential, and provide assurance the credential's integrity is complete?  Chef has a feature called Encrypted Bags.  However, many of the initial operational security "best practices" are implemented as antipatterns.  Go ahead and try.  You will discover it is simple to create and maintain secrets across global clouds.  However, process, automation, and computation begins to fail at scale.  Very rarely, one will elegantly handle the cases when they need to change or revert their key on the fly.  Ask your cloud provider the last time they change their secrets.  You will be surprised at their answers.  It is fairly simple to update a secret on one ami instance and bounce the box.  However, it is something else completely when one has to balance 2000+ ami with varying levels of secrets and access.  Trust me, it will get very nasty and complicated.

Some entities will solve it with CertMaster.  Your mileage will vary due to the underlying fact CertMaster is certificate authority software.  Certmaster's assurance is limited to the degree one can trust SSL / X.509 and its' inherent flaws.  Others will replace Chef's data bags on the fly and store the secrets in clear text as an environment variable. If you need me to point out the issues with storing secrets as an environment varable in clear-text, then one needs to go back to information security 101 and get their <insert info sec credential here> .  Since Chef doesn't have a conception of node metadata and data bags, one will need to account for this in their orchestration automation or have Chef implement node metadata and bags.  Another method to accomplish secret handling is to use popen and run the knife commands.  However, running shell commands is antipattern.  Ones' mileage will vary.

Personally, I implemented "cutting edge" distributed cryptographic research, created a ruby crypto library, and modified Chef's Encrypted Bags source.  Use at your own risk.  https://github.com/aeonsf/Operational_Security/commit/3c899a4fed54811f78ab7b8772250ee4cad296a0 "...Alice refuses to give up. She hires a handsome young glovebox researcher, and tasks him with developing a glove flexible enough to permit the nimble assembly of jewels and unlocking of boxes, but sturdy enough to prevent the boxes from being easily compromised. The researcher, amazed at his good fortune, plunges into the problem..."

Good luck!

Security is hard. Security Tools are harder. Cloud Security Tools are hardest.

Sad reality