Chef Ideas

We believe that the best way to build software is to do it in close collaboration with the people who use it. We invite you to submit your ideas using the form below. Please be sure to include the problem for which you are solving and the benefits of implementing the idea.

We do our best to implement as many Ideas as we can. Our Product team will evaluate all submitted ideas in a timely manner and will disposition each into one of the following categories: will integrate into the product roadmap, further research is needed, unlikely to implement.

Thanks for collaborating with us!

Support hardware devices for mTLS authentication between chef-client and chef server

Mutual TLS (mTLS) negotiation protects against device impersonation before access is allowed to underlying services.  A certificate is deployed to a node and used to prove identity before/during SSL negotiation.

Chef-client supports mTLS, but requires read access to a certificate on the filesystem of the node.  If this certificate is stolen, the node can be impersonated.

When using mTLS, chef-client should provide the option / configuration to access apis for hardware credential stores, such as the Apple Secure Enclave and the yubikey.

  • Jeff Vogt
  • Mar 11 2019
  • Currently Declined
  • Attach files
  • Admin
    Tim Smith commented
    10 Feb, 2021 01:31am

    We're currently planning to support storing the client key in the Keychain. As we move closer to implementing that feature this will be a good addition to keep in mind. Since this doesn't fit into our short term roadmap I'm going to set the status to currently declined. We'll reevaulate taking on this work once our initial native OS key storage feature work is complete.

  • Admin
  • Jeff Vogt commented
    30 Jul, 2020 08:22pm

    Just wanted to summarize the customers / prospects who have asked for non-filesystem sources for client-cert and client-key:

    Dropbox: secure enclave / yubikey / keychain

    Pinterest: keychain / windows cert store

    Netflix: keychain / windows cert store

    Uber: keychain / secure enclave

    Slack: keychain / duo

    I believe a documented mtls pattern is crucial for chef desktop, and supporting native key stores on Windows and Mac will up our perceived maturity level in this space.

  • Jeff Vogt commented
    28 May, 2020 05:53pm
  • Jeff Vogt commented
    28 May, 2020 05:50pm

    They suggested looking at how munki uses a python library which leverages macos urlRequest APIs which natively support keychain. We'd have to write a gem that does the same

  • Jeff Vogt commented
    28 May, 2020 05:48pm

    Pinterest just asked for the same thing

  • Michael Chiang commented
    19 Apr, 2019 10:10pm

    Just following up on this, the Dropbox deal seems to have closed. 

    Is this feature currently blocking anyone from adopting Chef? 

  • Mike Krasnow commented
    11 Mar, 2019 11:09pm

    From Galen: 

    Dropbox is going to expose their chef server to the public internet, and is using chef to manage their workstations, which are laptops and mobile. When the chef-client checks in from any of these systems, they want to use the built-in secure enclaves on these boxes to authenticate, rather than using our public/private key-pairs. (aka using a yubikey as that key/token point)

    More strategically, this enables customers to perform device specific authentication, giving them greater security. We ran into something similar at SWA last week, where their VPN solution is doing this type of forensics to determine whether or not to trust the system, so I anticipate this being a broader ask as we go forward.

  • +5