2

What is the correct format for adding a secret file in my knife.rb? I've read the docs and can't seem to get the formatting right, or perhaps it is not working.

I have tried adding both:

knife[:secret_file] = "/path/to/data_bag_secret"

and 

secret_file "/path/to/data_bag_secret"

Neither of these seem to encrypt my secrets when I use knife data bag create bag key

If I use knife data bag create bag key --secret-file /path/to/data_bag_secret it encrypts correctly however.

It doesn't appear to be encrypted when I go look at the data bags on https://manage.chef.io, which is why I think it's not encrypting. When I manually pass the switch it does encrypt correctly on https://manage.chef.io.

Ben Liyanage
  • 4,993
  • 1
  • 21
  • 23
  • I have the answer from this from Chef support, though I haven't verified it yet. Hoping to do that today or tomorrow, and answer my own question. Ping me if you're interested in what they said sooner. – Ben Liyanage Jan 05 '16 at 17:30

2 Answers2

1

tl;dr: additionally pass in the command line argument --encrypt flag if you are using Chef 12+. e.g. knife data bag from file foo ./data_bags/foo.json --encrypt

Since Chef 12 you are required to pass in the --encrypt flag while using knife data bag [create|from file] commands in order for your knife[secret] or knife[secret_file configuration options in knife.rb. The main problem here is that the chef docs have not yet been updated to indicate as such. If you call knife data bag [create|from file] --help you will see the explanation of the --encrypt flag option there.

Answer sourced here: https://github.com/chef/chef/issues/3223#issuecomment-93338211.

d.howser
  • 21
  • 1
  • 4
  • Links to external resources are encouraged, but please add context around the link so your fellow users will have some idea what it is and why it’s there. Always quote the most relevant part of an important link, in case the target site is unreachable or goes permanently offline. – pableiros Dec 08 '16 at 16:57
  • thanks @pableiros, i've updated the original answer and hopefully that is better – d.howser Dec 08 '16 at 17:29
0

So it's a bit odd but the --secret-file doesn't populate its own config value. If you look in https://github.com/chef/chef/blob/master/lib/chef/knife/data_bag_secret_options.rb#L48 you see it runs a custom proc instead, which is defined below that. Setting knife[:secret_file] should still work though, all the code related to bag encryption uses both. In general you wouldn't be using data bag create for this though, that is for the initial bag/item creation. For general update use data bag from file. Also remember that you need to remove that value from your config file to actually see the encrypted data, otherwise knife data bag show will decrypt it for you automatically.

coderanger
  • 52,400
  • 4
  • 52
  • 75
  • It doesn't appear to be encrypted when I go look at the data bags on manage.chef.io, which is why I think it's not encrypting. When I manually pass the switch it does encrypt correctly on manage.chef.io. – Ben Liyanage Dec 18 '15 at 22:21
  • Wait I think I misunderstood you. Are you saying I should try setting that config directly? – Ben Liyanage Dec 18 '15 at 22:26
  • Yes, if you set `knife[:secret_file]` and run a `knife data bag from file` it should encrypt it on upload. – coderanger Dec 18 '15 at 22:40