Databag Key not found on node


#1

While using Chef’s Databag, I created a databag on workstation with an openssl key for encryption.

Now when calling chef-client on a node to call the recipes and databag use on the node, I need the key to decrypt my databag item on the node.

How can i manage my openssl key so that node can also read that

What i tried was I kept the key in files and then using cookbook_file resource to call the key at runtime on node but the issue is that before the cookbook_file resource runs the Encrypted key_load function searches for the key on node and gives an error.

How to get rid of the problem


#2

Hi,

What you are trying to achieve sounds pretty much like what chef-vault (https://github.com/chef/chef-vault) does. Did you consider using it?


#3

As mentioned…how can i use a template to load my key from my workstation to the node at runtime


#4

When trying to call the key through cookbook_file resource …and using the below mentioned code inside a recipe along with cookbook_file resource then before running this resource my_secret is trying to load the path and the file is missing because cookbook_file will run after this but it should run before.

Chef::EncryptedDataBagItem.load_secret("#{secretkey}")


#5

And this secret key needs to be created from cookbook_file… which should run before the load command but it is running afterwards


#6

If you create the secret key by a cookbook_file then encrypting is useless at all. This undermines every security. Please, you should really have a look at chef-vault.

However, if you really want to do it this way, although this makes encryption useless, have a look at lazy evaluation: https://docs.chef.io/resource_common.html#lazy-evaluation. This is exactly what you want/need.


#7

Can you explain chef vault via an example code so that it can be clear
I am not clear with that concept
Can you explain with a databag having password to be handled


#8

There are already numerous blog posts and presentations out there about Chef Vault. The latest one from this years chef conf for example is quite good: https://de.slideshare.net/NellShamrell/chef-vault-a-deep-dive
And for managing passwords in Chef-Vault there is this slightly old post: https://blog.chef.io/2016/01/21/chef-vault-what-is-it-and-what-can-it-do-for-you/