{"id":21745178,"url":"https://github.com/zuazo/encrypted_attributes-cookbook","last_synced_at":"2025-04-13T05:12:26.593Z","repository":{"id":17290011,"uuid":"20060313","full_name":"zuazo/encrypted_attributes-cookbook","owner":"zuazo","description":"Chef cookbook to install and load chef-encrypted-attributes gem.","archived":false,"fork":false,"pushed_at":"2019-05-08T13:20:39.000Z","size":843,"stargazers_count":5,"open_issues_count":2,"forks_count":6,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-26T22:05:22.153Z","etag":null,"topics":["chef","cookbook","credentials","devops","encrypted-attributes","encryption","gcm","keys","passwords","pki","plugin","secrets","security"],"latest_commit_sha":null,"homepage":"https://supermarket.chef.io/cookbooks/encrypted_attributes","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zuazo.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-05-22T12:34:14.000Z","updated_at":"2025-01-07T05:49:53.000Z","dependencies_parsed_at":"2022-09-23T12:33:30.391Z","dependency_job_id":null,"html_url":"https://github.com/zuazo/encrypted_attributes-cookbook","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zuazo%2Fencrypted_attributes-cookbook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zuazo%2Fencrypted_attributes-cookbook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zuazo%2Fencrypted_attributes-cookbook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zuazo%2Fencrypted_attributes-cookbook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zuazo","download_url":"https://codeload.github.com/zuazo/encrypted_attributes-cookbook/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248665743,"owners_count":21142123,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["chef","cookbook","credentials","devops","encrypted-attributes","encryption","gcm","keys","passwords","pki","plugin","secrets","security"],"created_at":"2024-11-26T07:13:51.381Z","updated_at":"2025-04-13T05:12:26.573Z","avatar_url":"https://github.com/zuazo.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"Description\n===========\n[![Cookbook Version](https://img.shields.io/cookbook/v/encrypted_attributes.svg?style=flat)](https://supermarket.chef.io/cookbooks/encrypted_attributes)\n[![Dependency Status](http://img.shields.io/gemnasium/onddo/encrypted_attributes-cookbook.svg?style=flat)](https://gemnasium.com/onddo/encrypted_attributes-cookbook)\n[![Code Climate](http://img.shields.io/codeclimate/github/onddo/encrypted_attributes-cookbook.svg?style=flat)](https://codeclimate.com/github/onddo/encrypted_attributes-cookbook)\n[![Build Status](http://img.shields.io/travis/onddo/encrypted_attributes-cookbook.svg?style=flat)](https://travis-ci.org/onddo/encrypted_attributes-cookbook)\n[![Coverage Status](http://img.shields.io/coveralls/onddo/encrypted_attributes-cookbook.svg?style=flat)](https://coveralls.io/r/onddo/encrypted_attributes-cookbook?branch=master)\n[![Inline docs](http://inch-ci.org/github/onddo/encrypted_attributes-cookbook.svg?branch=master\u0026style=flat)](http://inch-ci.org/github/onddo/encrypted_attributes-cookbook)\n\nInstalls and enables [`chef-encrypted-attributes`](http://onddo.github.io/chef-encrypted-attributes/) gem: Chef plugin to add Node encrypted attributes support using client keys.\n\nRequirements\n============\n\n## Supported Platforms\n\nThis cookbook has been tested on the following platforms:\n\n* Amazon Linux\n* CentOS\n* Debian\n* Fedora\n* FreeBSD\n* openSUSE\n* RedHat\n* SUSE\n* Ubuntu\n\nPlease, [let us know](https://github.com/onddo/encrypted_attributes-cookbook/issues/new?title=I%20have%20used%20it%20successfully%20on%20...) if you use it successfully on any other platform.\n\n## Required Cookbooks\n\n* [build-essential](https://supermarket.chef.io/cookbooks/build-essential)\n\n## Required Applications\n\n* Ruby `1.9.3` or higher.\n\nSee also [the requirements of the `chef-encrypted-attributes` gem](http://onddo.github.io/chef-encrypted-attributes/#requirements).\n\nAttributes\n==========\n\n| Attribute                                          | Default        | Description                       |\n|----------------------------------------------------|:--------------:|-----------------------------------|\n| `node['encrypted_attributes']['version']`          | *calculated*   | chef-encrypted-attributes gem version to install. The latest stable version is installed by default. |\n| `node['encrypted_attributes']['mirror']`           | `nil`          | chef-encrypted-attributes mirror to download the gem from. For cases where you do not want to use RubyGems. |\n| `node['encrypted_attributes']['data_bag']['name']` | `'global'`     | chef-encrypted-attributes user keys, data bag name. |\n| `node['encrypted_attributes']['data_bag']['item']` | `'chef_users'` | chef-encrypted-attributes user keys, data bag item name. |\n| `node['dev_mode']`                                 | *calculated*   | If this is `true`, the `Chef::EncryptedAttributesHelpers` library will work with unencrypted attributes instead of encrypted attributes. For testing purposes. |\n\nRecipes\n=======\n\n## encrypted_attributes::default\n\nInstalls and loads the `chef-encrypted-attributes` gem.\n\n## encrypted_attributes::expose_key\n\nExposes the Client Public Key in attributes. This is a workaround for the Chef Clients Limitation problem. Should be included by all nodes that need to have read privileges on the attributes.\n\n## encrypted_attributes::users_data_bag\n\nConfigures `chef-encrypted-attributes` Chef User keys reading them from a data bag. This is a workaround for the [Chef Users Limitation problem](http://onddo.github.io/chef-encrypted-attributes/#chef-user-keys-access-limitation).\n\nHelper Libraries\n================\n\nSee the [Chef::EncryptedAttributesHelpers documentation](http://www.rubydoc.info/github/onddo/encrypted_attributes-cookbook/master/Chef/EncryptedAttributesHelpers).\n\nUsage Examples\n==============\n\n## Including in a Cookbook Recipe\n\nYou can simply include it in a recipe:\n\n```ruby\ninclude_recipe 'encrypted_attributes'\n```\n\nDon't forget to include the `encrypted_attributes` cookbook as a dependency in the metadata.\n\n```ruby\n# metadata.rb\n# [...]\n\ndepends 'encrypted_attributes'\n```\n\n## Including in the Run List\n\nAnother alternative is to include the default recipe in your *Run List*:\n\n```json\n{\n  \"name\": \"ftp.onddo.com\",\n  \"[...]\": \"[...]\",\n  \"run_list\": [\n    \"recipe[encrypted_attributes]\"\n  ]\n}\n```\n\n## *encrypted_attributes::default* Recipe Usage Example\n\n```ruby\ninclude_recipe 'encrypted_attributes'\n\n# include the #secure_password method\nself.class.send(:include, Opscode::OpenSSL::Password)\n\nif Chef::EncryptedAttribute.exists?(node['myapp']['ftp_password'])\n  # update with the new keys\n  Chef::EncryptedAttribute.update(node.set['myapp']['ftp_password'])\n\n  # read the password\n  ftp_pass = Chef::EncryptedAttribute.load(node['myapp']['ftp_password'])\nelse\n  # create the password and save it\n  ftp_pass = secure_password\n  node.set['myapp']['ftp_password'] = Chef::EncryptedAttribute.create(ftp_pass)\nend\n\n# use `ftp_pass` for something here ...\nChef::Log.debug(\"FTP password: #{ftp_pass}\")\n```\n\nYou can also use the `Chef::EncryptedAttributesHelpers` helpers to simplify its use:\n\n```ruby\ninclude_recipe 'encrypted_attributes'\nself.class.send(:include, Chef::EncryptedAttributesHelpers)\n\nftp_pass = encrypted_attribute_write(%w(myapp ftp_password)) do\n  self.class.send(:include, Opscode::OpenSSL::Password)\n  secure_password\nend\n\nChef::Log.debug(\"FTP password: #{ftp_pass}\")\n```\n\n**Note:** This example requires the [openssl](https://supermarket.chef.io/cookbooks/openssl) cookbook.\n\nSee the [`chef-encrypted-attributes` gem Usage](http://onddo.github.io/chef-encrypted-attributes/#usage-in-recipes) section for more examples.\n\n## *encrypted_attributes::users_data_bag* Recipe Usage Example\n\nThis recipe should be called before using the encrypted attributes. It sets the `Chef::Config[:encrypted_attributes][:keys]` option reading the keys from a data bag.\n\nBefore using this recipe, you must create the required data bag:\n\n    $ knife data bag create global_data chef_users\n\nYou should create a data bag item with the following format:\n\n```json\n{\n  \"id\": \"chef_users\",\n  \"bob\": \"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFA...\",\n  \"alice\": \"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFA...\"\n}\n```\n\nThe keys can be set in *array of strings* format if you prefer:\n\n```json\n{\n  \"id\": \"chef_users\",\n  \"bob\": [\n    \"-----BEGIN PUBLIC KEY-----\",\n    \"MIIBIjANBgkqhkiG9w0BAQEFA...\",\n    \"[...]\"\n  ],\n  \"alice\": [\n    \"-----BEGIN PUBLIC KEY-----\",\n    \"MIIBIjANBgkqhkiG9w0BAQEFA...\",\n    \"[...]\"\n  ]\n}\n```\n\nYou can retrieve user public keys with `knife user show USER -a public_key -f json`.\n\nThen, you can use this data bag to configure the `Chef::Config[:encrypted_attributes][:keys]` `chef-encrypted-attributes` configuration only by calling the recipe:\n\n```ruby\nnode.default['encrypted_attributes']['data_bag']['name'] = 'global_data'\ninclude_recipe 'encrypted_attributes::users_data_bag'\n\n# if Chef::EncryptedAttribute.exist?(...)\n#   Chef::EncryptedAttribute.update(...)\n# else\n#   node.set[...][...] = Chef::EncryptedAttribute.create(...)\n# ...\n```\n\n**Note:** This data bag does not need to be encrypted, because it only stores public keys.\n\n### Using Chef::EncryptedAttributesHelpers to Encrypt MySQL Passwords\n\nIn the following example we use the official [mysql](https://supermarket.chef.io/cookbooks/mysql) cookbook and its `mysql_service` resource to save the password encrypted in the following attribute:\n\n* `node['myapp']['mysql']['server_root_password']`\n\n```ruby\n# Include the #secure_password method from the openssl cookbook\nself.class.send(:include, Opscode::OpenSSL::Password)\n\n# Install Encrypted Attributes gem\ninclude_recipe 'encrypted_attributes'\n\n# Include the Encrypted Attributes cookbook helpers\nself.class.send(:include, Chef::EncryptedAttributesHelpers)\n\n# We can use an attribute to enable or disable encryption\n# (recommended for tests)\n# self.encrypted_attributes_enabled = node['myapp']['encrypt_attributes']\n\n# Encrypted Attributes will be generated randomly and saved in the\n# `node['myapp']['mysql'][\"server_#{user}_password\"]` attribute encrypted.\ndef generate_mysql_password(user)\n  key = \"server_#{user}_password\"\n  encrypted_attribute_write(['myapp', 'mysql', key]) { secure_password }\nend\n\n# Generate the encrypted root password\nmysql_root_password = generate_mysql_password('root')\n\nmysql_service 'default' do\n  initial_root_password mysql_root_password\n\n  # Some optional parameters:\n  data_dir node['myapp']['mysql']['data_dir']\n  initial_root_password root_password\n  bind_address '127.0.0.1'\n  port node['myapp']['mysql']['port']\n  run_group node['myapp']['mysql']['run_group']\n  run_user node['myapp']['mysql']['run_user']\n  version node['myapp']['mysql']['version']\n  # [...]\n\n  action [:create, :start]\nend\n```\n\n**Note:** This example is for the `mysql` cookbook version `~\u003e 6.0`.\n\nTesting\n=======\n\nSee [TESTING.md](https://github.com/onddo/encrypted_attributes-cookbook/blob/master/TESTING.md).\n\nContributing\n============\n\nPlease do not hesitate to [open an issue](https://github.com/onddo/encrypted_attributes-cookbook/issues/new) with any questions or problems.\n\nSee [CONTRIBUTING.md](https://github.com/onddo/encrypted_attributes-cookbook/blob/master/CONTRIBUTING.md).\n\nTODO\n====\n\nSee [TODO.md](https://github.com/onddo/encrypted_attributes-cookbook/blob/master/TODO.md).\n\n\nLicense and Author\n=====================\n\n|                      |                                          |\n|:---------------------|:-----------------------------------------|\n| **Author:**          | [Xabier de Zuazo](https://github.com/zuazo) (\u003cxabier@onddo.com\u003e)\n| **Contributor:**     | [Crystal Hsiung](https://github.com/chhsiung)\n| **Contributor:**     | [Lisa Danz](https://github.com/ldanz)\n| **Copyright:**       | Copyright (c) 2014-2015, Onddo Labs, SL. (www.onddo.com)\n| **License:**         | Apache License, Version 2.0\n\n    Licensed under the Apache License, Version 2.0 (the \"License\");\n    you may not use this file except in compliance with the License.\n    You may obtain a copy of the License at\n    \n        http://www.apache.org/licenses/LICENSE-2.0\n    \n    Unless required by applicable law or agreed to in writing, software\n    distributed under the License is distributed on an \"AS IS\" BASIS,\n    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n    See the License for the specific language governing permissions and\n    limitations under the License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzuazo%2Fencrypted_attributes-cookbook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzuazo%2Fencrypted_attributes-cookbook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzuazo%2Fencrypted_attributes-cookbook/lists"}