Just inherited a Chef system (Hitchhikers & encrypted databags)

bithead008 · November 10, 2017, 9:44pm

Just inherited a Chef system a previous admin slaved and toiled over for weeks I’m told. There is this really cool encrypted databag file in JSON format that looks kinda like this, any ideas on how to work backward and get this information so I can put it in a new/different access method?

Thanks,
CJ

“user”: {
“encrypted_data”: “lotsaScaryStuff=\n”,
“iv”: “moreScaryStuff==\n”,
“version”: 1,
“cipher”: “aes-256-cbc”
},
“password”: {
“encrypted_data”: “WowCoolScaryStuff=\n”,
“iv”: “LoveThisScaryStuffEverywhere==\n”,
“version”: 1,
“cipher”: “aes-256-cbc”
}

joerg.herzinger · November 13, 2017, 8:52am

Encrypted DataBags are symetrically encrypted with a simple password. Usually this password is placed upon bootstrapping on the servers/nodes in a file somewhere. The cookbooks can show you where exatly…
If you have the password you can decrypt the data with knife data bag show --secret-file /tmp/my_data_bag_key passwords mysql [1]

[1] https://docs.chef.io/data_bags.html#decrypt

Topic		Replies	Views
Databag Encryption Chef Infra (archive)	6	513	July 11, 2018
Suggested patch to chef to enable passing the data bag secret to a node, bypassing storage on the server Chef Infra (archive)	0	300	November 7, 2011
Using encrypted data bags in cookbooks? Chef Infra (archive)	9	353	January 22, 2015
Is it possible to perform compound searches of encrypted data bags? Chef Infra (archive)	1	304	November 15, 2013
[SOLVED] Encrypted data bag in recipe key not found Chef Infra (archive)	2	1037	January 5, 2018

Just inherited a Chef system (Hitchhikers & encrypted databags)

Related topics