CoursesChefAdvanced

Data bags & encrypted secrets

Shared data and secrets, encrypted.

Advanced14 min · lesson 9 of 12

A data bag is a store of JSON data on the Chef server, global and independent of any cookbook — users, application settings, lists of things recipes need. Recipes look up data-bag items at converge time, which keeps shared data out of cookbook code. But plain data bags are stored and transmitted readable, so for secrets you use encrypted data bags (or the Chef Vault pattern) rather than a plain bag.

terminal
# create an encrypted data bag item with a shared secret key
$ knife data bag create secrets db --secret-file /etc/chef/encrypted_data_bag_secret
{ "id": "db", "password": "S3cr3t!" } # stored encrypted on the server
recipe
# decrypt at converge time using the node's secret key
db = data_bag_item('secrets', 'db', IO.read('/etc/chef/encrypted_data_bag_secret'))
template '/etc/app/db.conf' do
variables(password: db['password'])
sensitive true # keep the value out of the run log
end

Encrypted bags vs Chef Vault

Encrypted data bags use one shared secret key that every node needing the data must have — simple, but distributing and rotating that shared key is the weak point. Chef Vault improves on this by encrypting each item to the specific nodes’ client keys, so only authorized nodes can decrypt and there is no shared secret file to distribute. For real secret management at scale, many shops instead integrate an external store like HashiCorp Vault.

The shared secret key is the whole security boundary
An encrypted data bag is only as safe as its secret key — anyone with that key (and read access to the bag) decrypts every secret in it. Do not commit the key, distribute it narrowly, prefer Chef Vault (per-node key encryption) or an external secret manager to avoid a single shared key, and mark tasks sensitive so decrypted values do not leak into converge logs.