2

There are encrypted data bags in json files with some values I need to change. I need to run something like...

$ knife data bag from file show --secret-file path/to/secret DATABAGNAME --config path/to/knife.rb

But this command gives the error: Could not find or open file 'DATABAGNAME' in current directory or in 'data_bags/show/ewe-jenkins'. So obviously the command is not quite right. I need help figuring out the syntax...

I need a command that can be run from the chef-repo, or the data_bags directory, that will allow me to see the unencrypted values of the json file data_bags. Ultimately I want to change some values, but getting the unencrypted values would be a good place to start :) thanks!

Johnny5
  • 463
  • 2
  • 5
  • 16
  • I'm come to realize that we have an unusual setup where we work with files in github, instead of directly with the chef server. The files in github are then pulled into chef-server via a jenkins job that is triggered on changes. – Johnny5 Dec 16 '15 at 00:45

2 Answers2

5

Since you're talking about local json files I'll assume you are using chef-zero / local-mode. The json file can indeed be encrypted and the content can be decrypted with knife.

Complete example:

Create key and databag item:

$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret

$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z

Enter this:

{
  "id": "secretstuff",
  "firstsecret": "must remain secret",
  "secondsecret": "also very secret"
}

The json file is indeed encrypted:

# cat data_bags/mydatabag/secretstuff.json 
{
  "id": "secretstuff",
  "firstsecret": {
    "encrypted_data": "VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0\nqvhn\n",
    "iv": "MhG09xFcwFAqX/IA3BusMg==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  },
  "secondsecret": {
    "encrypted_data": "Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI\nUJ2J\n",
    "iv": "66AcYpoF4xw/rnYfPegPLw==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  }
}

Show decrypted content with knife:

# knife data bag show mydatabag secretstuff -z --secret-file /tmp/encrypted_data_bag_secret
Encrypted data bag detected, decrypting with provided secret.
firstsecret:  must remain secret
id:           secretstuff
secondsecret: also very secret
Fabrice Devaux
  • 356
  • 1
  • 3
  • 1
    there is a way of avoiding the editor step: use `$ mkdir -p data_bags/mydatabag/ && knife data bag from file my_data_bag /path/to/unencryptet_data_bag_item.json -z --secret-file /path/to/encrypted_data_bag_secret` => will create the item to `data_bags/mydatabag/secretstuff.json` – ehaselwanter Jun 10 '17 at 07:27
1

I think you are confusing the knife data bag show and knife data bag from file commands. The former is for displaying data from the server, the latter is for uploading it. You have both on the command line.

coderanger
  • 52,400
  • 4
  • 52
  • 75
  • The goal is to view the decrypted contents of the local json data_bag. Can you point me in the right direction? – Johnny5 Dec 12 '15 at 01:12
  • The local contents are always already decrypted. Encrypted bags are onl encrypted on the Chef Server, not locally. You can display the decrypted contents from the server using `knife data bag show` with `--secret` or friends. – coderanger Dec 12 '15 at 01:26
  • "are always already decrypted" I should add that is when you are using the standard workflow. If you did some funky business with `knife -z` you'll need to use one of the various knife plugins that does local crypto operations but that doesn't come with Chef. `knife data bag show -z --secret` might be what you want? – coderanger Dec 12 '15 at 01:27