File format change after cookbook upload


Hello everyone,
We are running chef on centos 7, nodes are various of windows and centos 7.
While working on a centos recipe i noticed the following:
We are using encrypted data bags and use chef recipe to copy the secret key - it looks like the key that was uploaded through the cookbook is different then the original which causes issue with decryption.
Any idea what's going on? Why would cookbook upload break the formatting? The original file on my local repo is fine.


"The key that was uploaded". Did you use the encryption key to actually do the upload of that file?

There's also something quite incestuously dangerous about using chef to copy around the encryption. Since anyone on a local machine can manually select to run any chef cookbook with any options they care to pass to it, you may have just exposed your encryption key to anyone who can run chef on any client. Passing private keys around in chef requires real thought and real caution.


How would you recommend using encrypted data bags?
We didn't use the key to upload the file, we dropped it inside the cookbook and use cookbook file to copy it - but the problem is between my local repo and the chef server, not the chef server and the node.


Going to try chef vault which looks more secure and more robust then just encrypted data bags.


Got a follow up question regarding chef_vault.
We are trying to put values from the vault in a variable so we can use in a few times in the recipe but for some reason it doesn't like it.
We tried something like that:
include_recipe ‘chef-vault’
vault = chef_vault_item('credentials', 'database')
password = #{vault['password']}

We also tried adding single and/or double quotes around it which didn't work.

Using it without the variable work fine - vault['password']

Is it possible to do it the way we want?

include_recipe ‘chef-vault’
vault = chef_vault_item('credentials', 'database')
password = vault['password']

this should work... I removed the string interpolation bits from around vault['password'], see If it doesn't, make sure there is actually a key called 'password' in your vault and that the node you are running this on is in the list of clients for the vault.