Go back to the main page

Password and sensitive information strategies when using Vagrant and Chef-solo for personal use


Data bags

This is the best option when working within a team but is too complicated for personal use.

Password Shadow Hash

Not as complicated as data bags but required that ruby-shadow is installed on your provision target. Another drawback is that you need to repeat the mkpasswd/openssl passwd command and copy & paste to recipe steps each time there is a change in the sensitive information.

ENV variables (BEST OPTION)

Since Vagrant is serving up the provision you can leverage local ENV settings within the Vagrantfile. This approach doesn't require ruby-shadow and when sensitive information changes you simply edit your environmental variables and they will be picked up on the next vagrant run. Don't forget to run source ~/.profile in the shell where the vagrant command is executed.


export AWS_ACCESS_KEY_ID="***********************"
export AWS_SECRET_ACCESS_KEY="******************************"
export MY_PUBLIC_SSH_KEY_PATH=$HOME/.ssh/id_rsa.pub
export MY_PRIVATE_SSH_KEY_PATH=$HOME/.ssh/id_rsa


Vagrant.configure("2") do |config|
  config.vm.hostname = "test_server"
  config.vm.box = "precise64"
  config.vm.network :private_network, ip: ""
  config.vm.provision :chef_solo do |chef|
    chef.json = {
      misc: {
        ssh_key: File.read(ENV['MY_PUBLIC_SSH_KEY_PATH']),
        ssh_private_key: File.read(ENV['MY_PRIVATE_SSH_KEY_PATH']),
      aws: {
        access_key_id: ENV['AWS_ACCESS_KEY_ID'],
        secret_access_key: ENV['AWS_SECRET_ACCESS_KEY']

Example use from within a recipe

gitolite_user node.gitolite.username do
  ssh_key node.misc.ssh_key

  • Pushed on 09/23/2013 by Christian