With recreated nodes, existing keys are not updated #286
Labels
Comments
|
Looking at how the code is written, a short term workaround would be to rotate the symetrical key with |
kamaradclimber
added a commit
that referenced
this issue
Jul 19, 2017
During a refresh operation, speed optimization lead to avoid re-encrypting symetrical key for each existing clients. This lead to issues when clients change their chef key. This patch adds an option --force-reencryption to workaround that for users having such behavior. Fix #286 Change-Id: I0ffa71934d29198fa71aa6e1a9630ad302e21f6a Signed-off-by: Grégoire Seux <g.seux@criteo.com>
kamaradclimber
added a commit
that referenced
this issue
Jul 26, 2017
During a refresh operation, speed optimization lead to avoid re-encrypting symetrical key for each existing clients. This lead to issues when clients change their chef key. This patch adds an option --force-reencryption to workaround that for users having such behavior. Fix #286 Change-Id: I0ffa71934d29198fa71aa6e1a9630ad302e21f6a Signed-off-by: Grégoire Seux <g.seux@criteo.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
With a new chef-vault version 3.1.0 a new feature was introduced:
This change is undesirable in environments where nodes are recreated. In such situations re-encrypting keys was fixing obsolete keys and allowing access to vault's items. Now it does not update client keys, and requires to delete, and re-add client to vault, for all vault items.
Keys should be re-encrypted if node client key has changed, or there should be an opt-in flag to force re-encryption.
The text was updated successfully, but these errors were encountered: