There are a number of things you can do with data bags.
Data bags are just JSON data, but they are stored in the system as plain text, without any security. They are also downloaded onto various hosts throughout the life cycle, which can lead to leaking of potentially sensitive information. Fortunately, Chef has a method that lets you secure this data by using knife
, along with secret keys to keep data in data bags encrypted.
Encrypting a data bag item requires a secret key; one way of generating a secret key is to generate a random number and use the Base64 encoding of that number as the secret key. This should have any line endings removed to ensure it works properly on all platforms, regardless of platform-specific line endings. Here is a quick way to generate one using the openssl
command line tool combined with tr
to remove any line endings:
$ openssl rand -base64 512 | tr -d '\r\n' > ~/.chef/data_bag_secret