Knife vault create works, but getting Chef::EncryptedDataBagItem::DecryptionFailure

Chef Infra (archive)
1

Hello,

Would like to store & retrieve sensitive data in encrypted databags using chef vault option.

This is how I went about... am I forgetting something?

  1. I created the databags on my workstation
    knife vault create decd_vault ucdagent_TST '{"username":"userdecd", "password":"***"}' -S "role:prd_vra_ucdagent" -A "admin" -M client
    In Chef Manage, the databags are visible
    image
    item_keys contains the key for the server where I want to run my cookbook
    However, when I try knife vault show ucdagent_TST on workstation, I get data bag ucdagent_TST is not a chef-vault
  2. cookbook code to read the databag
    fqdn = node['fqdn'].downcase
    #decd_databag = Chef::DataBagItem.load("decd_vault","ucdagent_#{node['ucdagent']['env']}")
    decd_databag_keys = Chef::DataBagItem.load("decd_vault","ucdagent_#{node['ucdagent']['env']}_keys")
    key = decd_databag_keys[fqdn]
    decd_vault = Chef::EncryptedDataBagItem.load("decd_vault", "ucdagent_#{node['ucdagent']['env']}", key)
  3. Error on last line while running the cookbook
    Recipe Compile Error in C:/chef/cache/cookbooks/VRA_ucdagent/recipes/default.rb
    =================================================================
    Chef::EncryptedDataBagItem::DecryptionFailure
    =================================================================
    Error decrypting data bag value: ''. Most likely the provided key is incorrect.

Workstation chef version
ChefDK version: 4.3.13
Chef Infra Client version: 15.2.20
chef-client version on decrypting host
Chef: 12.12.13

Any help appreciated

2

Hi,

For 1: Vaults, like DataBags consist of Bags and Items, so the correct command would be knife vault show decd_vault ucdagent_TST

For 2 and 3: You are somehow mixing up encrypted DataBags and Vaults. Encrypted DataBags are simple DataBags where the items are symmetrically encrypted with a password or shared secret. That is why the error in 3 states that you need to provide this password/shred secret.
For using and decrypting a Vault in a cookbook its best to use the chef_vault_item helper in the chef-vault cookbook.

3

Thanks, this put me on the right track.
In fact I did mix up the encryption from one solution with the decryption of another one used within our organization...

To be complete, when using Knife vault to create your secrets,
use the chef_vault_item_helper in the chef-vault cookbook as described by Jörg,
or ad the chef-vault-x.y.z.gem to the files folder of the cookbook and use
chef_gem 'chef-vault' do
...source "#{Chef::Config[:file_cache_path]}\\cookbooks\\<current_cookbook_name>\\files\\#{node['<cookbook>']['<chef_vault_gem_binary_name>']}"
...action :install
...timeout 5
end
require 'chef-vault'
item = ChefVault::Item.load("<vault_name>", "<item_name>")