Databag Key not found on node

priyanshu · September 12, 2017, 5:40pm

While using Chef’s Databag, I created a databag on workstation with an openssl key for encryption.

Now when calling chef-client on a node to call the recipes and databag use on the node, I need the key to decrypt my databag item on the node.

How can i manage my openssl key so that node can also read that

What i tried was I kept the key in files and then using cookbook_file resource to call the key at runtime on node but the issue is that before the cookbook_file resource runs the Encrypted key_load function searches for the key on node and gives an error.

How to get rid of the problem

joerg.herzinger · September 12, 2017, 6:49pm

Hi,

What you are trying to achieve sounds pretty much like what chef-vault (https://github.com/chef/chef-vault) does. Did you consider using it?

priyanshu · September 13, 2017, 3:07pm

As mentioned…how can i use a template to load my key from my workstation to the node at runtime

priyanshu · September 13, 2017, 3:14pm

When trying to call the key through cookbook_file resource …and using the below mentioned code inside a recipe along with cookbook_file resource then before running this resource my_secret is trying to load the path and the file is missing because cookbook_file will run after this but it should run before.

Chef::EncryptedDataBagItem.load_secret("#{secretkey}")

priyanshu · September 13, 2017, 3:16pm

And this secret key needs to be created from cookbook_file… which should run before the load command but it is running afterwards

joerg.herzinger · September 13, 2017, 7:20pm

If you create the secret key by a cookbook_file then encrypting is useless at all. This undermines every security. Please, you should really have a look at chef-vault.

However, if you really want to do it this way, although this makes encryption useless, have a look at lazy evaluation: https://docs.chef.io/resource_common.html#lazy-evaluation. This is exactly what you want/need.

priyanshu · September 14, 2017, 12:59pm

Can you explain chef vault via an example code so that it can be clear
I am not clear with that concept
Can you explain with a databag having password to be handled

joerg.herzinger · September 14, 2017, 1:18pm

There are already numerous blog posts and presentations out there about Chef Vault. The latest one from this years chef conf for example is quite good: https://de.slideshare.net/NellShamrell/chef-vault-a-deep-dive
And for managing passwords in Chef-Vault there is this slightly old post: https://blog.chef.io/2016/01/21/chef-vault-what-is-it-and-what-can-it-do-for-you/

Topic		Replies	Views
[SOLVED] Encrypted data bag in recipe key not found Chef Infra (archive)	2	1040	January 5, 2018
Encrypted Data Bags - Preemptive Key Retrieval Chef Infra (archive)	1	382	January 23, 2015
Using encrypted data bags in cookbooks? Chef Infra (archive)	9	353	January 22, 2015
Databag Encryption Chef Infra (archive)	6	513	July 11, 2018
Knife vault create works, but getting Chef::EncryptedDataBagItem::DecryptionFailure Chef Infra (archive)	2	791	June 15, 2020

Databag Key not found on node

Related topics