data_bag_item in http://docs.getchef.com/release/12-0/release_notes.html to see the detailed release notes on this feature.
If you use Knife to interact with data bags, we also improved that experience. You can provide a secret to Knife in 1 of 4 ways. They are, in order of descending preference:
- Provide the secret on the command line of knife data bag and knife bootstrap commands with --secret
- Provide the location of a file containing the secret on the command line of knife data bag and knife bootstrap commands with --secret-file
- Add the secret to your workstation config with knife[:secret] = …
- Add the location of a file containing the secret to your workstation config with knife[:secret-file] = …
When adding the secret information to your workstation config, it will not be used for writeable operations unless --encrypt is also passed on the command line. Data bag read-only operations (
knife data bag show and
knife bootstrap) do not require --encrypt to be passed, and will attempt to use an available secret for decryption. Unencrypted data bags will not attempt to be unencrypted, even if a secret is provided. Trying to view an encrypted data bag without providing a secret will issue a warning and show the encrypted contents. Trying to edit or create an encrypted data bag without providing a secret will fail.
Here are some example scenarios:
knife[:secret_file] = ... in knife.rb will create and encrypt the data bag
knife data bag create BAG_NAME ITEM_NAME --encrypt
The same command ran with --secret will use the command line secret instead of the knife.rb secret
knife data bag create ANOTHER_BAG ITEM_NAME --encrypt --secret ‘ANOTHER_SECRET’
The next two commands will fail, because they are using the wrong secret
knife data bag edit BAG_NAME --secret 'ANOTHER_SECRET’
knife data bag edit ANOTHER_BAG --encrypt
The next command will unencrypt the data and show it using the
knife[:secret_file] without passing the --encrypt flag
knife data bag show BAG_NAME
To create an unencrypted data bag, simply do not provide
knife data bag create UNENCRYPTED_BAG
If a secret is available from any of the 4 possible entries, it will be copied to a bootstrapped node, even if
--encrypt is not present
knife bootstrap FQDN
http://docs.getchef.com/knife_data_bag.html is the documentation for the Knife features.
On Dec 6, 2014, at 6:45 PM, Julian C. Dunn firstname.lastname@example.org wrote:
On Sat, Dec 6, 2014 at 7:50 AM, Tiago Cruz email@example.com wrote:
Can you please detail a little bit more this feature:
Auto magical encryption / decryption of encrypted data bags in recipes and
In Chef < 12 you had to use Chef::EncryptedDataBagItem.load to load
encrypted data bag items, and the data_bag_item DSL to load
unencrypted data bag items.
In Chef >= 12, you can use the data_bag_item for both, and it will
auto-detect whether a bag item is encrypted or not.
[ Julian C. Dunn firstname.lastname@example.org * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]