Recovery of encrypted data bags


#1

Hi,

I am using chef open source server. I have a question about backups and
recovery.
All cookbooks, environments, roles and data bags are backed up as part of
the git repository.
My question is about encrypted data bags, that are backed up in their
encrypted form.

Is there a way to recover the real informations (eg. passwords) in case of
a failure of the chef server ? (providing that I still have the secret file
used at encryption time.)

Sincerely


Dorian JAMINAIS
System Administrator
+33 6 95 10 95 37
http://perfect-memory.com

https://twitter.com/semanticbushttp://www.facebook.com/pages/Perfect-Memory/155555567821817


#2

Hi Dorian,

On 14/05/2013, at 8:03 PM, Dorian Jaminais dorian.jaminais@perfect-memory.com wrote:

Is there a way to recover the real informations (eg. passwords) in case of a failure of the chef server ? (providing that I still have the secret file used at encryption time.)

Yes, absolutely. You can simply upload the encrypted data bags to a new chef server, and access them with the same secret file.

The Chef Server is not at all involved in the encryption/decryption of data bags. It merely stores the encrypted data you send it, and sends it back when requested, after which the client does the decryption.


Kevin Yank
Chief Technology Officer, Avalanche Technology Group / AVG Technologies AU Pty Ltd

2/101 Tulip Street, Sandringham Victoria 3191 Australia
ph: +61 3 9581 0806


#3

Thanks for your answer.

So there is no way of doing so without a chef-server ?

2013/5/14 Kevin Yank kyank@avalanche.com.au

Hi Dorian,

On 14/05/2013, at 8:03 PM, Dorian Jaminais <
dorian.jaminais@perfect-memory.com> wrote:

Is there a way to recover the real informations (eg. passwords) in case
of a failure of the chef server ? (providing that I still have the secret
file used at encryption time.)

Yes, absolutely. You can simply upload the encrypted data bags to a new
chef server, and access them with the same secret file.

The Chef Server is not at all involved in the encryption/decryption of
data bags. It merely stores the encrypted data you send it, and sends it
back when requested, after which the client does the decryption.


Kevin Yank
Chief Technology Officer, Avalanche Technology Group / AVG Technologies AU
Pty Ltd

2/101 Tulip Street, Sandringham Victoria 3191 Australia
ph: +61 3 9581 0806


Dorian JAMINAIS
System Administrator
+33 6 95 10 95 37
http://perfect-memory.com

https://twitter.com/semanticbushttp://www.facebook.com/pages/Perfect-Memory/155555567821817


#4

On Tuesday, May 14, 2013 at 6:10 AM, Dorian Jaminais wrote:

Thanks for your answer.

So there is no way of doing so without a chef-server ?

Encrypted data bag items are just JSON data that follow a specified format for encrypting the values with a symmetric encryption algorithm (AES). There isn’t a hard dependency on the server (you can use encrypted data bag items with chef-solo, for example).

If you have the JSON data on disk, and have the secret used to encrypt them it’s certainly possible to recover the plain text. That said, there’s no tooling in knife for doing this. You’d need to write a ruby script using the encrypted data bag item class to decrypt the data. A knife exec script or knife plugin would be a pretty easy way to do it. If you want to avoid coding at all costs, you could probably write a cookbook for chef-solo to extract the data bags.

Of course, if you’ve lost the secret used to encrypt the data bags, the data within them is gone.


Daniel DeLeo


#5

“A knife exec script or knife plugin would be a pretty easy way to do it.”

I will look into that

Thank you for your input

2013/5/14 Daniel DeLeo dan@kallistec.com

On Tuesday, May 14, 2013 at 6:10 AM, Dorian Jaminais wrote:

Thanks for your answer.

So there is no way of doing so without a chef-server ?

Encrypted data bag items are just JSON data that follow a specified format
for encrypting the values with a symmetric encryption algorithm (AES).
There isn’t a hard dependency on the server (you can use encrypted data bag
items with chef-solo, for example).

If you have the JSON data on disk, and have the secret used to encrypt
them it’s certainly possible to recover the plain text. That said, there’s
no tooling in knife for doing this. You’d need to write a ruby script using
the encrypted data bag item class to decrypt the data. A knife exec
script or knife plugin would be a pretty easy way to do it. If you want to
avoid coding at all costs, you could probably write a cookbook for
chef-solo to extract the data bags.

Of course, if you’ve lost the secret used to encrypt the data bags, the
data within them is gone.


Daniel DeLeo


Dorian JAMINAIS
System Administrator
+33 6 95 10 95 37
http://perfect-memory.com

https://twitter.com/semanticbushttp://www.facebook.com/pages/Perfect-Memory/155555567821817