Encrypted databag question


#1

Hi all -

In the example on the opscode wiki,
http://wiki.opscode.com/display/chef/Encrypted+Data+Bags there’s an example
on how to point to a non-standard place for your secret file:

mysql_creds = Chef::EncryptedDataBagItem.load(“passwords”, “mysql”, secret)

I’m struggling a bit with the “secret” in the above statement. From what I
can tell, that can be a path (string) to the place where the secret file
is. But for the life of me, I can’t seem to get that to click. I keep
getting a “bad decrypt” stacktrace.

Is that supposed to be a path or the contents of the file?

Any suggestions?


#2

Yo,

You can put the secret anywhere.

The third argument is a string to the path of the file containing the key.

If you put your key in /etc/chef/encrypted_data_bag_secret, the
default value of Chef::Config[:encrypted_data_bag_secret], you can
omit the third argument.

Here are the codes for loading the secret:
https://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L105-127

HTH

–AJ

On 22 October 2011 09:52, Maven User maven.2.user@gmail.com wrote:

Hi all -

In the example on the opscode wiki,
http://wiki.opscode.com/display/chef/Encrypted+Data+Bags there’s an example
on how to point to a non-standard place for your secret file:

mysql_creds = Chef::EncryptedDataBagItem.load(“passwords”, “mysql”, secret)

I’m struggling a bit with the “secret” in the above statement. From what I
can tell, that can be a path (string) to the place where the secret file
is. But for the life of me, I can’t seem to get that to click. I keep
getting a “bad decrypt” stacktrace.

Is that supposed to be a path or the contents of the file?

Any suggestions?


#3

Ok, that’s what I thought and have the path to the secret file like this:

passwords = Chef::EncryptedDataBagItem.load(“prod”, “passwords”,
“C:/chef/secret”)

And the “secret” file is right in that location as specified above.

But I keep getting the following -

DEBUG: OpenSSL::Cipher::CipherError: bad decrypt

Is there something wrong with the key or with chef being unable to find the
key?

On Fri, Oct 21, 2011 at 5:00 PM, AJ Christensen aj@junglist.gen.nz wrote:

Yo,

You can put the secret anywhere.

The third argument is a string to the path of the file containing the key.

If you put your key in /etc/chef/encrypted_data_bag_secret, the
default value of Chef::Config[:encrypted_data_bag_secret], you can
omit the third argument.

Here are the codes for loading the secret:

https://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L105-127

HTH

–AJ

On 22 October 2011 09:52, Maven User maven.2.user@gmail.com wrote:

Hi all -

In the example on the opscode wiki,
http://wiki.opscode.com/display/chef/Encrypted+Data+Bags there’s an
example
on how to point to a non-standard place for your secret file:

mysql_creds = Chef::EncryptedDataBagItem.load(“passwords”, “mysql”,
secret)

I’m struggling a bit with the “secret” in the above statement. From what
I
can tell, that can be a path (string) to the place where the secret file
is. But for the life of me, I can’t seem to get that to click. I keep
getting a “bad decrypt” stacktrace.

Is that supposed to be a path or the contents of the file?

Any suggestions?


#4

Even in debug mode - it doesn’t say much more if I change the path to
"C:/asdfasdfasdf" or some other value that doesn’t exist.

On Fri, Oct 21, 2011 at 5:12 PM, Maven User maven.2.user@gmail.com wrote:

Ok, that’s what I thought and have the path to the secret file like this:

passwords = Chef::EncryptedDataBagItem.load(“prod”, “passwords”,
“C:/chef/secret”)

And the “secret” file is right in that location as specified above.

But I keep getting the following -

DEBUG: OpenSSL::Cipher::CipherError: bad decrypt

Is there something wrong with the key or with chef being unable to find the
key?

On Fri, Oct 21, 2011 at 5:00 PM, AJ Christensen aj@junglist.gen.nzwrote:

Yo,

You can put the secret anywhere.

The third argument is a string to the path of the file containing the key.

If you put your key in /etc/chef/encrypted_data_bag_secret, the
default value of Chef::Config[:encrypted_data_bag_secret], you can
omit the third argument.

Here are the codes for loading the secret:

https://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L105-127

HTH

–AJ

On 22 October 2011 09:52, Maven User maven.2.user@gmail.com wrote:

Hi all -

In the example on the opscode wiki,
http://wiki.opscode.com/display/chef/Encrypted+Data+Bags there’s an
example
on how to point to a non-standard place for your secret file:

mysql_creds = Chef::EncryptedDataBagItem.load(“passwords”, “mysql”,
secret)

I’m struggling a bit with the “secret” in the above statement. From
what I
can tell, that can be a path (string) to the place where the secret file
is. But for the life of me, I can’t seem to get that to click. I keep
getting a “bad decrypt” stacktrace.

Is that supposed to be a path or the contents of the file?

Any suggestions?


#5

Can you show me the stack trace?

–AJ

On 22 October 2011 10:13, Maven User maven.2.user@gmail.com wrote:

Even in debug mode - it doesn’t say much more if I change the path to
"C:/asdfasdfasdf" or some other value that doesn’t exist.

On Fri, Oct 21, 2011 at 5:12 PM, Maven User maven.2.user@gmail.com wrote:

Ok, that’s what I thought and have the path to the secret file like
this:

passwords = Chef::EncryptedDataBagItem.load(“prod”, “passwords”,
“C:/chef/secret”)

And the “secret” file is right in that location as specified above.

But I keep getting the following -

DEBUG: OpenSSL::Cipher::CipherError: bad decrypt

Is there something wrong with the key or with chef being unable to find
the key?

On Fri, Oct 21, 2011 at 5:00 PM, AJ Christensen aj@junglist.gen.nz
wrote:

Yo,

You can put the secret anywhere.

The third argument is a string to the path of the file containing the
key.

If you put your key in /etc/chef/encrypted_data_bag_secret, the
default value of Chef::Config[:encrypted_data_bag_secret], you can
omit the third argument.

Here are the codes for loading the secret:

https://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L105-127

HTH

–AJ

On 22 October 2011 09:52, Maven User maven.2.user@gmail.com wrote:

Hi all -

In the example on the opscode wiki,
http://wiki.opscode.com/display/chef/Encrypted+Data+Bags there’s an
example
on how to point to a non-standard place for your secret file:

mysql_creds = Chef::EncryptedDataBagItem.load(“passwords”, “mysql”,
secret)

I’m struggling a bit with the “secret” in the above statement. From
what I
can tell, that can be a path (string) to the place where the secret
file
is. But for the life of me, I can’t seem to get that to click. I keep
getting a “bad decrypt” stacktrace.

Is that supposed to be a path or the contents of the file?

Any suggestions?


#6

[Fri, 21 Oct 2011 17:16:56 -0400] DEBUG: OpenSSL::Cipher::CipherError: bad
decrypt
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/…/lib/chef/encrypted_data_bag_item.rb:136:in
final' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/encrypted_data_bag_item.rb:136:incipher’
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/…/lib/chef/encrypted_data_bag_item.rb:102:in
decrypt_value' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/encrypted_data_bag_item.rb:63:in[]'
c:/chef/cache/cookbooks/edb_demo/recipes/default.rb:13:in from_file' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/cookbook_version.rb:578:inload_recipe’
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/…/lib/chef/mixin/language_include_recipe.rb:40:in
include_recipe' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/mixin/language_include_recipe.rb:27:ineach’
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/…/lib/chef/mixin/language_include_recipe.rb:27:in
include_recipe' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/run_context.rb:72:inload’
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/…/lib/chef/run_context.rb:69:in
each' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/run_context.rb:69:inload’
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/…/lib/chef/client.rb:195:in
setup_run_context' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/client.rb:159:inrun’
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/…/lib/chef/application/client.rb:239:in
run_application' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/application/client.rb:229:inloop’
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/…/lib/chef/application/client.rb:229:in
run_application' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/application.rb:67:inrun’
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/chef-client:26
C:/buildtools/Ruby187/bin/chef-client:19:in `load’
C:/buildtools/Ruby187/bin/chef-client:19
[Fri, 21 Oct 2011 17:16:56 -0400] FATAL: OpenSSL::Cipher::CipherError: bad
decrypt

On Fri, Oct 21, 2011 at 5:15 PM, AJ Christensen aj@junglist.gen.nz wrote:

Can you show me the stack trace?

–AJ

On 22 October 2011 10:13, Maven User maven.2.user@gmail.com wrote:

Even in debug mode - it doesn’t say much more if I change the path to
"C:/asdfasdfasdf" or some other value that doesn’t exist.

On Fri, Oct 21, 2011 at 5:12 PM, Maven User maven.2.user@gmail.com
wrote:

Ok, that’s what I thought and have the path to the secret file like
this:

passwords = Chef::EncryptedDataBagItem.load(“prod”, “passwords”,
“C:/chef/secret”)

And the “secret” file is right in that location as specified above.

But I keep getting the following -

DEBUG: OpenSSL::Cipher::CipherError: bad decrypt

Is there something wrong with the key or with chef being unable to find
the key?

On Fri, Oct 21, 2011 at 5:00 PM, AJ Christensen aj@junglist.gen.nz
wrote:

Yo,

You can put the secret anywhere.

The third argument is a string to the path of the file containing the
key.

If you put your key in /etc/chef/encrypted_data_bag_secret, the
default value of Chef::Config[:encrypted_data_bag_secret], you can
omit the third argument.

Here are the codes for loading the secret:

https://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L105-127

HTH

–AJ

On 22 October 2011 09:52, Maven User maven.2.user@gmail.com wrote:

Hi all -

In the example on the opscode wiki,
http://wiki.opscode.com/display/chef/Encrypted+Data+Bags there’s an
example
on how to point to a non-standard place for your secret file:

mysql_creds = Chef::EncryptedDataBagItem.load(“passwords”, “mysql”,
secret)

I’m struggling a bit with the “secret” in the above statement. From
what I
can tell, that can be a path (string) to the place where the secret
file
is. But for the life of me, I can’t seem to get that to click. I
keep

getting a “bad decrypt” stacktrace.

Is that supposed to be a path or the contents of the file?

Any suggestions?


#7

Did you use the same secret to encrypt the databag? Something bogus going on.

Can you use knife show to see the contents properly?

–AJ

On 22 October 2011 10:18, Maven User maven.2.user@gmail.com wrote:

[Fri, 21 Oct 2011 17:16:56 -0400] DEBUG: OpenSSL::Cipher::CipherError: bad
decrypt
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/…/lib/chef/encrypted_data_bag_item.rb:136:in
final' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/encrypted_data_bag_item.rb:136:incipher’
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/…/lib/chef/encrypted_data_bag_item.rb:102:in
decrypt_value' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/encrypted_data_bag_item.rb:63:in[]'
c:/chef/cache/cookbooks/edb_demo/recipes/default.rb:13:in from_file' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/cookbook_version.rb:578:inload_recipe’
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/…/lib/chef/mixin/language_include_recipe.rb:40:in
include_recipe' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/mixin/language_include_recipe.rb:27:ineach’
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/…/lib/chef/mixin/language_include_recipe.rb:27:in
include_recipe' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/run_context.rb:72:inload’
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/…/lib/chef/run_context.rb:69:in
each' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/run_context.rb:69:inload’
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/…/lib/chef/client.rb:195:in
setup_run_context' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/client.rb:159:inrun’
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/…/lib/chef/application/client.rb:239:in
run_application' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/application/client.rb:229:inloop’
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/…/lib/chef/application/client.rb:229:in
run_application' C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/../lib/chef/application.rb:67:inrun’
C:/buildtools/Ruby187/lib/ruby/gems/1.8/gems/chef-0.10.4/bin/chef-client:26
C:/buildtools/Ruby187/bin/chef-client:19:in `load’
C:/buildtools/Ruby187/bin/chef-client:19
[Fri, 21 Oct 2011 17:16:56 -0400] FATAL: OpenSSL::Cipher::CipherError: bad
decrypt

On Fri, Oct 21, 2011 at 5:15 PM, AJ Christensen aj@junglist.gen.nz wrote:

Can you show me the stack trace?

–AJ

On 22 October 2011 10:13, Maven User maven.2.user@gmail.com wrote:

Even in debug mode - it doesn’t say much more if I change the path to
"C:/asdfasdfasdf" or some other value that doesn’t exist.

On Fri, Oct 21, 2011 at 5:12 PM, Maven User maven.2.user@gmail.com
wrote:

Ok, that’s what I thought and have the path to the secret file like
this:

passwords = Chef::EncryptedDataBagItem.load(“prod”, “passwords”,
“C:/chef/secret”)

And the “secret” file is right in that location as specified above.

But I keep getting the following -

DEBUG: OpenSSL::Cipher::CipherError: bad decrypt

Is there something wrong with the key or with chef being unable to find
the key?

On Fri, Oct 21, 2011 at 5:00 PM, AJ Christensen aj@junglist.gen.nz
wrote:

Yo,

You can put the secret anywhere.

The third argument is a string to the path of the file containing the
key.

If you put your key in /etc/chef/encrypted_data_bag_secret, the
default value of Chef::Config[:encrypted_data_bag_secret], you can
omit the third argument.

Here are the codes for loading the secret:

https://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L105-127

HTH

–AJ

On 22 October 2011 09:52, Maven User maven.2.user@gmail.com wrote:

Hi all -

In the example on the opscode wiki,
http://wiki.opscode.com/display/chef/Encrypted+Data+Bags there’s an
example
on how to point to a non-standard place for your secret file:

mysql_creds = Chef::EncryptedDataBagItem.load(“passwords”, “mysql”,
secret)

I’m struggling a bit with the “secret” in the above statement. From
what I
can tell, that can be a path (string) to the place where the secret
file
is. But for the life of me, I can’t seem to get that to click. I
keep
getting a “bad decrypt” stacktrace.

Is that supposed to be a path or the contents of the file?

Any suggestions?


#8

I’m pretty sure that the 3rd argument is actually the encryption secret
itself (see slightly higher
uphttps://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L90-95in
the same file) If you want to use a file location other than the
default, I think you’re supposed to say so in your chef
confighttp://wiki.opscode.com/display/chef/Chef+Configuration+Settings
.

-Matt Moretti

On Fri, Oct 21, 2011 at 5:00 PM, AJ Christensen aj@junglist.gen.nz wrote:

Yo,

You can put the secret anywhere.

The third argument is a string to the path of the file containing the key.

If you put your key in /etc/chef/encrypted_data_bag_secret, the
default value of Chef::Config[:encrypted_data_bag_secret], you can
omit the third argument.

Here are the codes for loading the secret:

https://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L105-127

HTH

–AJ

On 22 October 2011 09:52, Maven User maven.2.user@gmail.com wrote:

Hi all -

In the example on the opscode wiki,
http://wiki.opscode.com/display/chef/Encrypted+Data+Bags there’s an
example
on how to point to a non-standard place for your secret file:

mysql_creds = Chef::EncryptedDataBagItem.load(“passwords”, “mysql”,
secret)

I’m struggling a bit with the “secret” in the above statement. From what
I
can tell, that can be a path (string) to the place where the secret file
is. But for the life of me, I can’t seem to get that to click. I keep
getting a “bad decrypt” stacktrace.

Is that supposed to be a path or the contents of the file?

Any suggestions?


#9

Well, that worked, but I’m not sure I’m really jazzed by that solution.

I was able to update my client.rb file to point to the exact file the secret
was in and it worked.

But, what if different cookbooks have different secret files?

Either way, the secret file isn’t bad/borked…

So is there a way to set the default in the recipe or is it too late by
then?

On Fri, Oct 21, 2011 at 5:25 PM, Matthew Moretti werebus@gmail.com wrote:

I’m pretty sure that the 3rd argument is actually the encryption secret
itself (see slightly higher uphttps://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L90-95in the same file) If you want to use a file location other than the
default, I think you’re supposed to say so in your chef confighttp://wiki.opscode.com/display/chef/Chef+Configuration+Settings
.

-Matt Moretti

On Fri, Oct 21, 2011 at 5:00 PM, AJ Christensen aj@junglist.gen.nzwrote:

Yo,

You can put the secret anywhere.

The third argument is a string to the path of the file containing the key.

If you put your key in /etc/chef/encrypted_data_bag_secret, the
default value of Chef::Config[:encrypted_data_bag_secret], you can
omit the third argument.

Here are the codes for loading the secret:

https://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L105-127

HTH

–AJ

On 22 October 2011 09:52, Maven User maven.2.user@gmail.com wrote:

Hi all -

In the example on the opscode wiki,
http://wiki.opscode.com/display/chef/Encrypted+Data+Bags there’s an
example
on how to point to a non-standard place for your secret file:

mysql_creds = Chef::EncryptedDataBagItem.load(“passwords”, “mysql”,
secret)

I’m struggling a bit with the “secret” in the above statement. From
what I
can tell, that can be a path (string) to the place where the secret file
is. But for the life of me, I can’t seem to get that to click. I keep
getting a “bad decrypt” stacktrace.

Is that supposed to be a path or the contents of the file?

Any suggestions?


#10

Well, I haven’t tried it (and I’m by no means an expert), but you could use
the a combination of that 3rd option and file IO, I guess.

secret = IO.read(“C:/chef/secret”)
mysql_creds = Chef::EncryptedDataBagItem.load(“passwords”, “mysql”, secret)

Something in the back of my mind says there’s a problem with what I’m
suggesting, but I can’t quite put my finger on it. I suspect that there
should be a way to use the Chef libraries to read the data in from a
cookbook file directly. Does anybody else have any thoughts?

-Matt

On Fri, Oct 21, 2011 at 5:36 PM, Maven User maven.2.user@gmail.com wrote:

Well, that worked, but I’m not sure I’m really jazzed by that solution.

I was able to update my client.rb file to point to the exact file the
secret was in and it worked.

But, what if different cookbooks have different secret files?

Either way, the secret file isn’t bad/borked…

So is there a way to set the default in the recipe or is it too late by
then?

On Fri, Oct 21, 2011 at 5:25 PM, Matthew Moretti werebus@gmail.comwrote:

I’m pretty sure that the 3rd argument is actually the encryption secret
itself (see slightly higher uphttps://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L90-95in the same file) If you want to use a file location other than the
default, I think you’re supposed to say so in your chef confighttp://wiki.opscode.com/display/chef/Chef+Configuration+Settings
.

-Matt Moretti

On Fri, Oct 21, 2011 at 5:00 PM, AJ Christensen aj@junglist.gen.nzwrote:

Yo,

You can put the secret anywhere.

The third argument is a string to the path of the file containing the
key.

If you put your key in /etc/chef/encrypted_data_bag_secret, the
default value of Chef::Config[:encrypted_data_bag_secret], you can
omit the third argument.

Here are the codes for loading the secret:

https://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L105-127

HTH

–AJ

On 22 October 2011 09:52, Maven User maven.2.user@gmail.com wrote:

Hi all -

In the example on the opscode wiki,
http://wiki.opscode.com/display/chef/Encrypted+Data+Bags there’s an
example
on how to point to a non-standard place for your secret file:

mysql_creds = Chef::EncryptedDataBagItem.load(“passwords”, “mysql”,
secret)

I’m struggling a bit with the “secret” in the above statement. From
what I
can tell, that can be a path (string) to the place where the secret
file
is. But for the life of me, I can’t seem to get that to click. I keep
getting a “bad decrypt” stacktrace.

Is that supposed to be a path or the contents of the file?

Any suggestions?


#11

I was thinking more along the lines of something like:

Chef::Config[:encrypted_data_bag_secret “C:/chef/encrypted_data_bag_secret”]

Is there no way to explicitly set the chef config objects/values from inside
a recipe?

If I do read in the contents of the file (like you suggest below) I get the
same bad decrypt error.

I tried several other options (like using a file object instead and passing
in the path result) and keep getting the same bad decrypt error.

On Fri, Oct 21, 2011 at 6:01 PM, Matthew Moretti werebus@gmail.com wrote:

Well, I haven’t tried it (and I’m by no means an expert), but you could use
the a combination of that 3rd option and file IO, I guess.

secret = IO.read(“C:/chef/secret”)

mysql_creds = Chef::EncryptedDataBagItem.load(“passwords”, “mysql”, secret)

Something in the back of my mind says there’s a problem with what I’m
suggesting, but I can’t quite put my finger on it. I suspect that there
should be a way to use the Chef libraries to read the data in from a
cookbook file directly. Does anybody else have any thoughts?

-Matt

On Fri, Oct 21, 2011 at 5:36 PM, Maven User maven.2.user@gmail.comwrote:

Well, that worked, but I’m not sure I’m really jazzed by that solution.

I was able to update my client.rb file to point to the exact file the
secret was in and it worked.

But, what if different cookbooks have different secret files?

Either way, the secret file isn’t bad/borked…

So is there a way to set the default in the recipe or is it too late by
then?

On Fri, Oct 21, 2011 at 5:25 PM, Matthew Moretti werebus@gmail.comwrote:

I’m pretty sure that the 3rd argument is actually the encryption secret
itself (see slightly higher uphttps://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L90-95in the same file) If you want to use a file location other than the
default, I think you’re supposed to say so in your chef confighttp://wiki.opscode.com/display/chef/Chef+Configuration+Settings
.

-Matt Moretti

On Fri, Oct 21, 2011 at 5:00 PM, AJ Christensen aj@junglist.gen.nzwrote:

Yo,

You can put the secret anywhere.

The third argument is a string to the path of the file containing the
key.

If you put your key in /etc/chef/encrypted_data_bag_secret, the
default value of Chef::Config[:encrypted_data_bag_secret], you can
omit the third argument.

Here are the codes for loading the secret:

https://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L105-127

HTH

–AJ

On 22 October 2011 09:52, Maven User maven.2.user@gmail.com wrote:

Hi all -

In the example on the opscode wiki,
http://wiki.opscode.com/display/chef/Encrypted+Data+Bags there’s an
example
on how to point to a non-standard place for your secret file:

mysql_creds = Chef::EncryptedDataBagItem.load(“passwords”, “mysql”,
secret)

I’m struggling a bit with the “secret” in the above statement. From
what I
can tell, that can be a path (string) to the place where the secret
file
is. But for the life of me, I can’t seem to get that to click. I
keep
getting a “bad decrypt” stacktrace.

Is that supposed to be a path or the contents of the file?

Any suggestions?


#12

Ok, maybe this is again overkill, but I got it working like this:

secret =
Chef::EncryptedDataBagItem.load_secret(“C:/chef/encrypted_data_bag_secret”)

passwords = Chef::EncryptedDataBagItem.load(“prod”, “passwords”,secret)

That works just fine.

Thoughts? This seems pretty wonky…

On Fri, Oct 21, 2011 at 6:25 PM, Maven User maven.2.user@gmail.com wrote:

I was thinking more along the lines of something like:

Chef::Config[:encrypted_data_bag_secret
"C:/chef/encrypted_data_bag_secret"]

Is there no way to explicitly set the chef config objects/values from
inside a recipe?

If I do read in the contents of the file (like you suggest below) I get the
same bad decrypt error.

I tried several other options (like using a file object instead and passing
in the path result) and keep getting the same bad decrypt error.

On Fri, Oct 21, 2011 at 6:01 PM, Matthew Moretti werebus@gmail.comwrote:

Well, I haven’t tried it (and I’m by no means an expert), but you could
use the a combination of that 3rd option and file IO, I guess.

secret = IO.read(“C:/chef/secret”)

mysql_creds = Chef::EncryptedDataBagItem.load(“passwords”, “mysql”,
secret)

Something in the back of my mind says there’s a problem with what I’m
suggesting, but I can’t quite put my finger on it. I suspect that there
should be a way to use the Chef libraries to read the data in from a
cookbook file directly. Does anybody else have any thoughts?

-Matt

On Fri, Oct 21, 2011 at 5:36 PM, Maven User maven.2.user@gmail.comwrote:

Well, that worked, but I’m not sure I’m really jazzed by that solution.

I was able to update my client.rb file to point to the exact file the
secret was in and it worked.

But, what if different cookbooks have different secret files?

Either way, the secret file isn’t bad/borked…

So is there a way to set the default in the recipe or is it too late by
then?

On Fri, Oct 21, 2011 at 5:25 PM, Matthew Moretti werebus@gmail.comwrote:

I’m pretty sure that the 3rd argument is actually the encryption secret
itself (see slightly higher uphttps://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L90-95in the same file) If you want to use a file location other than the
default, I think you’re supposed to say so in your chef confighttp://wiki.opscode.com/display/chef/Chef+Configuration+Settings
.

-Matt Moretti

On Fri, Oct 21, 2011 at 5:00 PM, AJ Christensen aj@junglist.gen.nzwrote:

Yo,

You can put the secret anywhere.

The third argument is a string to the path of the file containing the
key.

If you put your key in /etc/chef/encrypted_data_bag_secret, the
default value of Chef::Config[:encrypted_data_bag_secret], you can
omit the third argument.

Here are the codes for loading the secret:

https://github.com/opscode/chef/blob/master/chef/lib/chef/encrypted_data_bag_item.rb#L105-127

HTH

–AJ

On 22 October 2011 09:52, Maven User maven.2.user@gmail.com wrote:

Hi all -

In the example on the opscode wiki,
http://wiki.opscode.com/display/chef/Encrypted+Data+Bags there’s an
example
on how to point to a non-standard place for your secret file:

mysql_creds = Chef::EncryptedDataBagItem.load(“passwords”, “mysql”,
secret)

I’m struggling a bit with the “secret” in the above statement. From
what I
can tell, that can be a path (string) to the place where the secret
file
is. But for the life of me, I can’t seem to get that to click. I
keep
getting a “bad decrypt” stacktrace.

Is that supposed to be a path or the contents of the file?

Any suggestions?


#13

Hi Maven User,

On Fri, Oct 21, 2011 at 4:01 PM, Maven User maven.2.user@gmail.com wrote:

Ok, maybe this is again overkill, but I got it working like this:

secret =
Chef::EncryptedDataBagItem.load_secret(“C:/chef/encrypted_data_bag_secret”)

passwords = Chef::EncryptedDataBagItem.load(“prod”, “passwords”,secret)

That works just fine.

Thoughts? This seems pretty wonky…

The current design is that EncryptedDataBagItem.load takes the
encryption secret itself, not a path to a file. If an encryption
secret is not specified, one is loaded via
Chef::Config[:encrypted_data_bag_secret].

The thinking was to keep the storage of the secret decoupled from the
function to load/decrypt. I can see that taking a path instead of the
secret might increase convenience. The downside is it would prevent
one from obtaining the secret in other ways.

The secret is sensitive to trailing new lines and other whitespace.
EncryptedDataBagItem.load_secret is doing two things for you: (1)
calling IO.read(path).strip which takes care of the trailing newline,
and (2) inspecting the specified path and loading data from a URL if
that is what was specified.

So Matthew’s suggestion to use IO.read just needed an extra .strip:

secret = IO.read(“C:/chef/secret”).strip

On Fri, Oct 21, 2011 at 5:36 PM, Maven User maven.2.user@gmail.com
wrote:

Well, that worked, but I’m not sure I’m really jazzed by that solution.

I was able to update my client.rb file to point to the exact file the
secret was in and it worked.

But, what if different cookbooks have different secret files?

I can imagine wanting to use more than one encrypted data bag item
each with its own secret on the same node. To achieve that with the
current code you will need to use two steps to load as you’ve done.

I think it would be better to keep cookbooks decoupled from secrets. A
recipe might require one or more encrypted data bag items, but ideally
the secret used is data driven so that dev, preprod, and prod can all
use the same cookbook with different shared secrets.

I’d be interested to hear more details on how you and others are using
encrypted data bag items with a focus on what the encryption is
protecting against.

  • seth


Seth Falcon | Development Lead | Opscode | @sfalcon


#14

Awesome - thanks for the reply.

Might I suggest adding this information to the various wiki pages? I’m sure
someone else will fall into this as well.

It really reads that the third argument can either be the contents of the
secret OR the path to the secret file.

Maybe I misread the actual method as well as it seemed to do different
things depending on if it was passed a path or not.

What we’re doing is hiding staging and production passwords (only) and I’ll
likely put in a fork that makes sure that if the env is NOT prod or stage,
then get the passwords (likely from another databag or from the environment
definition.

On Sun, Oct 23, 2011 at 11:46 AM, Seth Falcon seth@opscode.com wrote:

Hi Maven User,

On Fri, Oct 21, 2011 at 4:01 PM, Maven User maven.2.user@gmail.com
wrote:

Ok, maybe this is again overkill, but I got it working like this:

secret =

Chef::EncryptedDataBagItem.load_secret(“C:/chef/encrypted_data_bag_secret”)

passwords = Chef::EncryptedDataBagItem.load(“prod”, “passwords”,secret)

That works just fine.

Thoughts? This seems pretty wonky…

The current design is that EncryptedDataBagItem.load takes the
encryption secret itself, not a path to a file. If an encryption
secret is not specified, one is loaded via
Chef::Config[:encrypted_data_bag_secret].

The thinking was to keep the storage of the secret decoupled from the
function to load/decrypt. I can see that taking a path instead of the
secret might increase convenience. The downside is it would prevent
one from obtaining the secret in other ways.

The secret is sensitive to trailing new lines and other whitespace.
EncryptedDataBagItem.load_secret is doing two things for you: (1)
calling IO.read(path).strip which takes care of the trailing newline,
and (2) inspecting the specified path and loading data from a URL if
that is what was specified.

So Matthew’s suggestion to use IO.read just needed an extra .strip:

secret = IO.read(“C:/chef/secret”).strip

On Fri, Oct 21, 2011 at 5:36 PM, Maven User maven.2.user@gmail.com
wrote:

Well, that worked, but I’m not sure I’m really jazzed by that
solution.

I was able to update my client.rb file to point to the exact file the
secret was in and it worked.

But, what if different cookbooks have different secret files?

I can imagine wanting to use more than one encrypted data bag item
each with its own secret on the same node. To achieve that with the
current code you will need to use two steps to load as you’ve done.

I think it would be better to keep cookbooks decoupled from secrets. A
recipe might require one or more encrypted data bag items, but ideally
the secret used is data driven so that dev, preprod, and prod can all
use the same cookbook with different shared secrets.

I’d be interested to hear more details on how you and others are using
encrypted data bag items with a focus on what the encryption is
protecting against.

  • seth


Seth Falcon | Development Lead | Opscode | @sfalcon