A question about keys.

[aug24]

I'm trying to understand exactly how I can use chef-vault in our environment.

Can you clarify what key is used to encrypt/decrypt on a client when I specify encrypt for all clients of type X please?

• Is it the chef client.pem? If not, what key is it, and where is it stored?
• What happens if I create a new client of type X? Do I need to re-encrypt the vault for my new client to gain access?

Many thanks, and apologies if this is documented somewhere I haven't found.

[techish-io]

1- data bag item is encrypted with public keys of a) clients listed in -S (search) option, b) users listed in -A (admins) option. Public keys are stored on CHEF server.

And then decrypted with corresponding private keys of the same which is the one mentioned in knife.rb - And yes it is client.pem on a node if you aren't using a different key name with -K option.

2- a node of type X which was created after the vault item won't be able decrypt as it won't be listed in clients automatically. You have two options here

a) run knife encrypt/vault update command manually to add the new client
b) Have a periodically running process to do what is mentioned in "a" so new client gets added automatically.

Hope this helps!

[aug24]

Perfect, thank you. That's what my team had concluded must be the case, but we wanted to be absolutely sure.