Knife Briefcase

This gem is Knife plugin for Opscode Chef that stores GPG-encrypted content for people in chef server's data bag.

Its intended use is to share infrastructure-related secrets (such as encrypted data bag secret files, SSL private keys, passwords, etc.) among the infrastructure team.

This may or may not work nicely with git-annex via hook special remote.

Installation

Add this line to your Chef repository's Gemfile:

gem 'knife-briefcase', :git => 'git://github.com/3ofcoins/knife-briefcase/'

Or install it yourself:

$ gem build knife-briefcase.gemspec
$ gem install knife-briefcase*.gem

Usage

knife briefcase put NAME [FILE] -- encrypts and signs named FILE or stdin, and saves it in the data bag with ID NAME.

knife briefcase get NAME [FILE] -- gets NAME from the data bag, checks signature, decrypts, and shows the contents on standard output, or saves it to FILE if provided.

knife briefcase list -- lists encrypted items in the data bag.

knife briefcase delete NAME [NAME [...]] -- deletes listed NAMEs from the data bag.

TODO: it may be good to refuse to delete files that the user is unable to encrypt. User is able to delete them anyway, using knife data bag delete, but it shouldn't be allowed via knife briefcase command.

knife briefcase reload [NAME [NAME [...]]] -- downloads and decrypts listed items, re-encrypts and re-signs them, and saves the re-encrypted content back. If no names are provided, all the items are re-encrypted. This should be called when briefcase holders list is changed, to allow added user to decrypt bag - or to prevent further access by removed user.

Git Annex support

The briefcase is a perfect storage backend for git-annex. This combination lets you pretend-store secret files in the repository, sync them over git-annex, and have the content safely encrypted on the Chef server.

To use briefcase as a git-annex special repo, configure a hook:

$ git config annex.briefcase-hook 'knife briefcase annex hook'
$ git annex initremote briefcase type=hook hooktype=briefcase encryption=none

By default, annex content will be stored in the annex data bag; you can pass --data-bag=NAME argument to knife briefcase annex hook or configure briefcase_annex_data_bag in knife.rb to use a different data bag.

Configuration

Following knife.rb settings are used:

• briefcase_holders -- array of e-mail addresses that will be GPG recipients of the data
• briefcase_signers -- e-mail address (or array of e-mail addresses) that will be used to sign encrypted content
• briefcase_data_bag -- name of the data bag that will be used by default to hold encrypted content. If not provided, briefcase data bag will be used. The data bag name can be overriden on command line.
• briefcase_annex_data_bag -- name of the data bag that will be used by default by knife briefcase annex hook. If not provided, annex data bag will be used. The data bag name can be overriden on command line.

Example configuration

briefcase_signers `git config --get user.email`.strip
briefcase_holders [
  'alice@myproject.com',
  'bob@myproject.com',
  'claire@myproject.com',
  'dave@myproject.com',
  'erin@myproject.com' ]

Contributing

See the CONTRIBUTING.md file

---