Databag Encryption


#1

Hi,

We have uploaded encrypted databags to chef server,while running chef-client from node it’s not decrypting the json files inside databag,Though the secret key is present in the location C:\Chef.

Decryption happens from the workstation through the command knife data bag show.


#2

I don’t know what process inside your recipe you are using to decrypt the data bag, but are you telling the recipe where to find the secret key in order for the decryption to find it?

For example here is how my logic looks in my recipes that do this:

mydatabag = data_bag_item(‘mydatabag’, ‘mydatabagitem’, IO.read(‘C:\chef\cache\encrypted_data_bag_secret’))


#3

Hello @deb, It looks like you might have missed to specify /encrypted_data_bag_secret while bootstrapping the node. You can rerun the bootstrap with --secret-file option should resolve this issue.


#4

Hi suthir, actually we have migrated from hosted chef to on prem chef server. So we are not bootraping the nodes again. We are changing the old chef URL to the new one and running chef client on the node.
That is when we are getting this error.


#5

Hi ,

Thanks for the help, we have defined the same in the client.rb.

Regards
Dev


#6

Cool. updating encrypted data bag path directly on client.rb should work as it the same as running through knife bootstrap.


#7

Thanks for the help @suthir