CODEWITHSUNDEEP
encryptionchef-infrachef-recipechef-soloconsul
meallhour
meallhour

Reputation: 15599

Chef complaining while decrypting data bag value

I am trying to use encrypted data bag in recipe as following:

  secret = Chef::EncryptedDataBagItem.load_secret("/etc/chef/encrypted_data_bag_secret")
  encryptkey = Chef::EncryptedDataBagItem.load("tokens", "encryptkey", secret)

My data bag looks as below:

{
  "id": "encryptkey",
  "encrypt": "FjJyopVcfoJNIsYk2xDBjA=="
}

However, I keep getting the below error: 

   ERROR: Error decrypting data bag value: 'bad decrypt'. Most likely the provided key is incorrect

Upvotes: 0

Views: 2643

Answers (3)

Sidharth K.Burnwal
Sidharth K.Burnwal

Reputation: 546

I have seen some solutions. In my case, the issue was with the secret key and the databag file format. Because Windows initially keeps some files in dos format I had to convert those into UNIX format which Putty can read.

find <path> -type f -print0 | xargs -0 dos2unix

Upvotes: 1

Navneet Joshi
Navneet Joshi

Reputation: 166

The issue may be because of \n or \r character. Please follow the below steps :

  1. creating secret $openssl rand -base64 512 | tr -d '\r\n' > <secret-file>

  2. upload the data item using $knife data bag from file <data-bag> </path/to/data-bag-item.json> --secret-file <secret-file>

  3. get the data bag item from chef-server $knife data bag show <data-bag> <data-bag-item-id> which will return encrypted data in the below format :

id: mysql
pass:
cipher:         aes-256-cbc
encrypted_data: JZtwXpuq4Hf5ICcepJ1PGQohIyqjNX6JBc2DGpnL2WApzjAUG9SkSdv75TfKSjX4
iv:             VYY2qx9b4r3j0qZ7+RkKHg==
version:        1
user:
cipher:         aes-256-cbc
encrypted_data: 10BVoNb/plkvkrzVdybPgFFII5GThZ3Op9LNkwVeKpA=
iv:             uIqKHZ9skJlN2gpJoml6rQ==
version:        1
  1. use --secret-file arg while decrypting the data from chef-server $knife data bag show <data-bag> <data-bag-item-id> --secret-file <secret-file>
  2. In recipe, use the below syntex:
data = data_bag_item(:<data-bag>, '<data-bag-id>', IO.read(Chef::Config[:encrypted_data_bag_secret]))
log "result1: #{data['id']}"
log "result2: #{data['user']}"
  1. to run the recipe on node, move the secret-file to /etc/chef/ location of node by using scp command. Don't copy/paste the key. once the file is available on the node, rename it to 'encrypted_data_bag_secret'. 
$mv /etc/chef/secret /etc/chef/encrypted_data_bag_secret
  1. If 'secret' is not specified, the chef-client will look for a secret at the path specified by the encrypted_data_bag_secret setting in the client.rb file.by default it's /etc/chef/encrypted_data_bag_secret.

Hope this will helpful for you.

Upvotes: 1

coderanger
coderanger

Reputation: 54249

Not to state the obvious, but that means you didn't create the encrypted data bag correctly or the key is wrong. As we don't have the key or know what commands you ran, it's hard to say which. Also really really stop using that API, I've said that in two questions now I think.

Also if you have major UX questions in a row, SO is a bad medium for this. Ping me on either IRC or Slack and we can probably do this a lot faster.

Upvotes: -1

Related Questions