Encrypted Data Bag format?

Chef Infra (archive)
1

The format of my encrypted data bag seems to have changed from
{
“abc”: “Aizug0hk7OmzAk1feN8u5jxsDn8oYHfE8gOdga1EmpQ=\n”,
}

to this:
“abc”: {
“iv”: “/2ZxMWiIVWJzpWRj+8uxJA==\n”,
“cipher”: “aes-256-cbc”,
“version”: 1,
“encrypted_data”:
“0uKackLYg25J6Eoow5LhbkvOGEleT7XT/ueraSwnqB/obRDtASu1qOImuimm\n9MqF\n”
},

Anyone know what I might have done to my DB, or if an upgrade may have made
this change?

Thanks a lot!
Guy

2

Guy,

The former is the original format and the latter is the new format. Chef-11
knives that make new encrypted-data-bag-items will make them in the new
format by default but can read and write both formats. Chef-11 clients can
read both formats.

Cheers,
Jay Feldblum

On Fri, Nov 15, 2013 at 12:58 PM, Guy Matz guymatz@gmail.com wrote:

The format of my encrypted data bag seems to have changed from
{
"abc": "Aizug0hk7OmzAk1feN8u5jxsDn8oYHfE8gOdga1EmpQ=\n",
}

to this:
"abc": {
"iv": "/2ZxMWiIVWJzpWRj+8uxJA==\n",
"cipher": "aes-256-cbc",
"version": 1,
"encrypted_data":
"0uKackLYg25J6Eoow5LhbkvOGEleT7XT/ueraSwnqB/obRDtASu1qOImuimm\n9MqF\n"
},

Anyone know what I might have done to my DB, or if an upgrade may have
made this change?

Thanks a lot!
Guy

3

There’s more info in the Chef 11.0 release notes: http://docs.opscode.com/release/11-4/release_notes.html#changes-for-data-bag-encryption

--
Daniel DeLeo

On Friday, November 15, 2013 at 1:03 PM, Jay Feldblum wrote:

Guy,

The former is the original format and the latter is the new format. Chef-11 knives that make new encrypted-data-bag-items will make them in the new format by default but can read and write both formats. Chef-11 clients can read both formats.

Cheers,
Jay Feldblum

On Fri, Nov 15, 2013 at 12:58 PM, Guy Matz <guymatz@gmail.com (mailto:guymatz@gmail.com)> wrote:

The format of my encrypted data bag seems to have changed from
{
"abc": "Aizug0hk7OmzAk1feN8u5jxsDn8oYHfE8gOdga1EmpQ=\n",
}

to this:
"abc": {
"iv": "/2ZxMWiIVWJzpWRj+8uxJA==\n",
"cipher": "aes-256-cbc",
"version": 1,
"encrypted_data": "0uKackLYg25J6Eoow5LhbkvOGEleT7XT/ueraSwnqB/obRDtASu1qOImuimm\n9MqF\n"
},

Anyone know what I might have done to my DB, or if an upgrade may have made this change?

Thanks a lot!
Guy

4

Thanks! You say Chef 11 will create D-Bags in the new format "by default"
. . . is there a way to get it to use the old format? knife data bag
edit|create --help does not indicate a way . . .

Thanks again!

On Fri, Nov 15, 2013 at 4:03 PM, Jay Feldblum yfeldblum@gmail.com wrote:

Guy,

The former is the original format and the latter is the new format.
Chef-11 knives that make new encrypted-data-bag-items will make them in the
new format by default but can read and write both formats. Chef-11 clients
can read both formats.

Cheers,
Jay Feldblum

On Fri, Nov 15, 2013 at 12:58 PM, Guy Matz guymatz@gmail.com wrote:

The format of my encrypted data bag seems to have changed from
{
"abc": "Aizug0hk7OmzAk1feN8u5jxsDn8oYHfE8gOdga1EmpQ=\n",
}

to this:
"abc": {
"iv": "/2ZxMWiIVWJzpWRj+8uxJA==\n",
"cipher": "aes-256-cbc",
"version": 1,
"encrypted_data":
"0uKackLYg25J6Eoow5LhbkvOGEleT7XT/ueraSwnqB/obRDtASu1qOImuimm\n9MqF\n"
},

Anyone know what I might have done to my DB, or if an upgrade may have
made this change?

Thanks a lot!
Guy

5

On Friday, November 15, 2013 at 1:12 PM, Guy Matz wrote:

Thanks! You say Chef 11 will create D-Bags in the new format "by default" . . . is there a way to get it to use the old format? knife data bag edit|create --help does not indicate a way . . .

Thanks again!
No, the old format is flawed so Chef 11 doesn’t support writing data bag items in that format. Are you having a particular issue with it?

--
Daniel DeLeo

6

Guy,

If all your nodes are using chef 10.18.x and up then you don't need to worry about the new format. If they are below that then you'll need to recreate your encrypted data bags using a chef 10.x knife.

-- Jay

On Nov 15, 2013, at 4:06 PM, Daniel DeLeo dan@kallistec.com wrote:

There’s more info in the Chef 11.0 release notes: http://docs.opscode.com/release/11-4/release_notes.html#changes-for-data-bag-encryption

--
Daniel DeLeo

On Friday, November 15, 2013 at 1:03 PM, Jay Feldblum wrote:

Guy,

The former is the original format and the latter is the new format. Chef-11 knives that make new encrypted-data-bag-items will make them in the new format by default but can read and write both formats. Chef-11 clients can read both formats.

Cheers,
Jay Feldblum

On Fri, Nov 15, 2013 at 12:58 PM, Guy Matz guymatz@gmail.com wrote:
The format of my encrypted data bag seems to have changed from
{
"abc": "Aizug0hk7OmzAk1feN8u5jxsDn8oYHfE8gOdga1EmpQ=\n",
}

to this:
"abc": {
"iv": "/2ZxMWiIVWJzpWRj+8uxJA==\n",
"cipher": "aes-256-cbc",
"version": 1,
"encrypted_data": "0uKackLYg25J6Eoow5LhbkvOGEleT7XT/ueraSwnqB/obRDtASu1qOImuimm\n9MqF\n"
},

Anyone know what I might have done to my DB, or if an upgrade may have made this change?

Thanks a lot!
Guy