Encrypted chef data bag json file, how to decrypt and show contents?

12,056

Solution 1

Since you're talking about local json files I'll assume you are using chef-zero / local-mode. The json file can indeed be encrypted and the content can be decrypted with knife.

Complete example:

Create key and databag item:

$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret

$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z

Enter this:

{
  "id": "secretstuff",
  "firstsecret": "must remain secret",
  "secondsecret": "also very secret"
}

The json file is indeed encrypted:

# cat data_bags/mydatabag/secretstuff.json 
{
  "id": "secretstuff",
  "firstsecret": {
    "encrypted_data": "VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0\nqvhn\n",
    "iv": "MhG09xFcwFAqX/IA3BusMg==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  },
  "secondsecret": {
    "encrypted_data": "Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI\nUJ2J\n",
    "iv": "66AcYpoF4xw/rnYfPegPLw==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  }
}

Show decrypted content with knife:

# knife data bag show mydatabag secretstuff -z --secret-file /tmp/encrypted_data_bag_secret
Encrypted data bag detected, decrypting with provided secret.
firstsecret:  must remain secret
id:           secretstuff
secondsecret: also very secret

Solution 2

I think you are confusing the knife data bag show and knife data bag from file commands. The former is for displaying data from the server, the latter is for uploading it. You have both on the command line.

Share:
12,056

Related videos on Youtube

Johnny5
Author by

Johnny5

Updated on June 04, 2022

Comments

  • Johnny5
    Johnny5 over 1 year

    There are encrypted data bags in json files with some values I need to change. I need to run something like...

    $ knife data bag from file show --secret-file path/to/secret DATABAGNAME --config path/to/knife.rb
    

    But this command gives the error: Could not find or open file 'DATABAGNAME' in current directory or in 'data_bags/show/ewe-jenkins'. So obviously the command is not quite right. I need help figuring out the syntax...

    I need a command that can be run from the chef-repo, or the data_bags directory, that will allow me to see the unencrypted values of the json file data_bags. Ultimately I want to change some values, but getting the unencrypted values would be a good place to start :) thanks!

  • Johnny5
    Johnny5 almost 8 years
    The goal is to view the decrypted contents of the local json data_bag. Can you point me in the right direction?
  • opricnik
    opricnik almost 8 years
    The local contents are always already decrypted. Encrypted bags are onl encrypted on the Chef Server, not locally. You can display the decrypted contents from the server using knife data bag show with --secret or friends.
  • opricnik
    opricnik almost 8 years
    "are always already decrypted" I should add that is when you are using the standard workflow. If you did some funky business with knife -z you'll need to use one of the various knife plugins that does local crypto operations but that doesn't come with Chef. knife data bag show -z --secret might be what you want?
  • ehaselwanter
    ehaselwanter over 6 years
    there is a way of avoiding the editor step: use $ mkdir -p data_bags/mydatabag/ && knife data bag from file my_data_bag /path/to/unencryptet_data_bag_item.json -z --secret-file /path/to/encrypted_data_bag_secret => will create the item to data_bags/mydatabag/secretstuff.json