Encrypted chef data bag json file, how to decrypt and show contents?
Solution 1
Since you're talking about local json files I'll assume you are using chef-zero / local-mode. The json file can indeed be encrypted and the content can be decrypted with knife.
Complete example:
Create key and databag item:
$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret
$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z
Enter this:
{
"id": "secretstuff",
"firstsecret": "must remain secret",
"secondsecret": "also very secret"
}
The json file is indeed encrypted:
# cat data_bags/mydatabag/secretstuff.json
{
"id": "secretstuff",
"firstsecret": {
"encrypted_data": "VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0\nqvhn\n",
"iv": "MhG09xFcwFAqX/IA3BusMg==\n",
"version": 1,
"cipher": "aes-256-cbc"
},
"secondsecret": {
"encrypted_data": "Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI\nUJ2J\n",
"iv": "66AcYpoF4xw/rnYfPegPLw==\n",
"version": 1,
"cipher": "aes-256-cbc"
}
}
Show decrypted content with knife:
# knife data bag show mydatabag secretstuff -z --secret-file /tmp/encrypted_data_bag_secret
Encrypted data bag detected, decrypting with provided secret.
firstsecret: must remain secret
id: secretstuff
secondsecret: also very secret
Solution 2
I think you are confusing the knife data bag show
and knife data bag from file
commands. The former is for displaying data from the server, the latter is for uploading it. You have both on the command line.
Related videos on Youtube
Johnny5
Updated on June 04, 2022Comments
-
Johnny5 over 1 year
There are encrypted data bags in json files with some values I need to change. I need to run something like...
$ knife data bag from file show --secret-file path/to/secret DATABAGNAME --config path/to/knife.rb
But this command gives the error: Could not find or open file 'DATABAGNAME' in current directory or in 'data_bags/show/ewe-jenkins'. So obviously the command is not quite right. I need help figuring out the syntax...
I need a command that can be run from the chef-repo, or the data_bags directory, that will allow me to see the unencrypted values of the json file data_bags. Ultimately I want to change some values, but getting the unencrypted values would be a good place to start :) thanks!
-
Johnny5 almost 8 yearsThe goal is to view the decrypted contents of the local json data_bag. Can you point me in the right direction?
-
opricnik almost 8 yearsThe local contents are always already decrypted. Encrypted bags are onl encrypted on the Chef Server, not locally. You can display the decrypted contents from the server using
knife data bag show
with--secret
or friends. -
opricnik almost 8 years"are always already decrypted" I should add that is when you are using the standard workflow. If you did some funky business with
knife -z
you'll need to use one of the various knife plugins that does local crypto operations but that doesn't come with Chef.knife data bag show -z --secret
might be what you want? -
ehaselwanter over 6 yearsthere is a way of avoiding the editor step: use
$ mkdir -p data_bags/mydatabag/ && knife data bag from file my_data_bag /path/to/unencryptet_data_bag_item.json -z --secret-file /path/to/encrypted_data_bag_secret
=> will create the item todata_bags/mydatabag/secretstuff.json