Store keys as encrypted data bag items
knife keychain store yoursite-ssl-certificate certificate_file.pem -E productionAdd a description and a group for the key:
knife keychain store yoursite-ssl-certificate certificate_file.pem -E production --description "this is an ssl certificate" --group sslAfter a description and/or group has been set, subsequent knife keychain store commands do not have to specify them (as of v0.1.6).
The purpose of --description is simply to better describe what's being stored. --group, if set, is a way to store keys separately, but retrieve them together. For example:
knife keychain download --group sslwould output all stored keys in the ssl group in a concatenated form.
--global specifies to look at or work with only keys at the global level (shared by all environments).
--environment works as it does in other knife commands. It will constrain the command to work within the environment you specify.
Create a brand new key for the production environment:
knife keychain store some-key-name files/some-key-file --group ssl-key --description "private key for ssl cert" --environment productionUpdate the key you created with content from another file:
knife keychain store some-key-name files/some-other-key-file --environment productionDelete your key from the production environment
knife keychain remove some-key-name --environment productionList only global-level keys
knife keychain list --globalList only keys that are specific to the production environment
knife keychain list --no-global --environment productionList keys specific to the production environment, inheriting any from the global level if they are not overridden
knife keychain list --environment productionShow meta-information and decrypted content of a key
knife keychain show some-key-nameShow all information about keys in the "git" group
knife keychain show --group gitDownload the raw decrypted key content:
knife keychain download some-key-name >downloaded-key.pemCopy all keys unique to SOME_ENVIRONMENT into OTHER_ENVIRONMENT
knife keychain copy --source-environment SOME_ENVIRONMENT --destination-environment OTHER_ENVIRONMENTCopy a single key unique to SOME_ENVIRONMENT into OTHER_ENVIRONMENT
knife keychain copy --source-environment SOME_ENVIRONMENT --destination-environment OTHER_ENVIRONMENT SINGLE_KEY_NAMENote: the copy command will not copy global keys (indicated with * to the left of the name in a key listing),
as these keys are not actually in the source-environment (they're inherited from the _default environment). To
see what the command will actually copy, run knife keychain list --environment SOME_ENVIRONMENT --no-global.
Simplest retrieval example:
secret = 'your secret encryption key'
key_record = search(:keychain, "chef_environment:production AND name:yoursite-ssl-certificate").first
if key_record
key = Chef::EncryptedDataBagItem.load(:keychain_keys, key_record.id, secret)
file "/etc/apache2/ssl/yoursite-ssl-certificate.pem" do
content key['content']
mode 0600
end
endknife-keychain is really just an easy way to work with two databags: keychain (plain) and keychain_keys (encrypted). If you want, you can operate with either data bag directly via the typical knife data bag tools. You can also use the information in any way you would use regular data bags within your recipes. However, due to the use of the _default environment as a "global" level which your other environments can inherit from, you'll likely want to do something like this:
def keychain_key_for_group(group_name)
found_keys = {}
["_default", node.chef_environment].uniq.each do |current_environment|
search(:keychain, "chef_environment:#{current_environment} AND group:#{group_name}").each do |key_record|
key = Chef::EncryptedDataBagItem.load(:keychain_keys, key_record.id)
found_keys[key_record['name']] = key["content"]
end
end
found_keys.values.join("\n")
endNote that this also will concatenate any keys with the same group name. It will "override" any key defined in the _default environment with one defined in your node's environment.