Knife plugin that implements git-annex hook backend for chef-vault.
This plugin uses a data bag named
annex to store
items encrypted by chef-vault for admin chef users (except the
admin user created by default) available as git-annex files.
This allows keeping shared secret files (such as access keys - think Amazon Web Services - or passwords) out of Git repository, store them securely encrypted, and still keep convenient git-based access.
Add this line to your chef repo's Gemfile:
And then execute:
Or install it yourself as:
$ gem install knife-annex
Configure the hook type for git-annex:
$ git config annex.chef-vault-hook 'knife annex'
If you use Bundler with your chef repo, you may need this form:
$ git config annex.chef-vault-hook 'bundle exec knife annex'
Then, initialise the special remote:
$ git annex initremote chef-server type=hook hooktype=chef-vault encryption=none
If you're extra paranoid, you can have double encryption by specifying
encryption=shared in the special remote's options.
After that, you can use
chef-server remote normally with
When your admin user list changes, you can rekey the data by running:
$ knife annex --rotate-keys
See the CONTRIBUTING.md file