Just inherited a Chef system (Hitchhikers & encrypted databags)


Just inherited a Chef system a previous admin slaved and toiled over for weeks I’m told. There is this really cool encrypted databag file in JSON format that looks kinda like this, any ideas on how to work backward and get this information so I can put it in a new/different access method?


“user”: {
“encrypted_data”: “lotsaScaryStuff=\n”,
“iv”: “moreScaryStuff==\n”,
“version”: 1,
“cipher”: “aes-256-cbc”
“password”: {
“encrypted_data”: “WowCoolScaryStuff=\n”,
“iv”: “LoveThisScaryStuffEverywhere==\n”,
“version”: 1,
“cipher”: “aes-256-cbc”


Encrypted DataBags are symetrically encrypted with a simple password. Usually this password is placed upon bootstrapping on the servers/nodes in a file somewhere. The cookbooks can show you where exatly…
If you have the password you can decrypt the data with knife data bag show --secret-file /tmp/my_data_bag_key passwords mysql [1]

[1] https://docs.chef.io/data_bags.html#decrypt