Reputation: 513
Encrypted chef data bag json file, how to decrypt and show contents?
There are encrypted data bags in json files with some values I need to change. I need to run something like...
$ knife data bag from file show --secret-file path/to/secret DATABAGNAME --config path/to/knife.rb
But this command gives the error: Could not find or open file 'DATABAGNAME' in current directory or in 'data_bags/show/ewe-jenkins'. So obviously the command is not quite right. I need help figuring out the syntax...
I need a command that can be run from the chef-repo, or the data_bags directory, that will allow me to see the unencrypted values of the json file data_bags. Ultimately I want to change some values, but getting the unencrypted values would be a good place to start :) thanks!
Upvotes: 3
Views: 14479
Answers (2)
Reputation: 356
Since you're talking about local json files I'll assume you are using chef-zero / local-mode. The json file can indeed be encrypted and the content can be decrypted with knife.
Complete example:
Create key and databag item:
$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret
$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z
Enter this:
{
"id": "secretstuff",
"firstsecret": "must remain secret",
"secondsecret": "also very secret"
}
The json file is indeed encrypted:
# cat data_bags/mydatabag/secretstuff.json
{
"id": "secretstuff",
"firstsecret": {
"encrypted_data": "VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0\nqvhn\n",
"iv": "MhG09xFcwFAqX/IA3BusMg==\n",
"version": 1,
"cipher": "aes-256-cbc"
},
"secondsecret": {
"encrypted_data": "Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI\nUJ2J\n",
"iv": "66AcYpoF4xw/rnYfPegPLw==\n",
"version": 1,
"cipher": "aes-256-cbc"
}
}
Show decrypted content with knife:
# knife data bag show mydatabag secretstuff -z --secret-file /tmp/encrypted_data_bag_secret
Encrypted data bag detected, decrypting with provided secret.
firstsecret: must remain secret
id: secretstuff
secondsecret: also very secret
Upvotes: 5
Reputation: 54251
I think you are confusing the knife data bag show and knife data bag from file commands. The former is for displaying data from the server, the latter is for uploading it. You have both on the command line.
Upvotes: 2
Related Questions
- How do I insert an encrypted data bag item value into a Chef recipe?
- Chef::EncryptedDataBagItem.load method use
- Encrypt data bag from inside of ruby without relying on knife
- How to read an encrypted data bag in a chef recipe?
- How deploy a encrypted Data Bag as a file in Chef recipe
- Is it possible to store Chef cookbook_file source in an encrypted data bag?
- how to create\edit encrypted data bag item from a chef recipe
- Chef Decryption of Data Bags and Retrieval of Key
- Iterating over EncryptedDataBagItem in Chef Recipe
- Data bag encryption encrypts on Chef server, but how to encrypt local copy?