likely due to not having a YAML engine config in my knife.rb on one of my
systems, i think i caused some contents to drop out of one of my encrypted
data bags.
missing in knife.rb: YAML::ENGINE.yamler = ‘syck’ if RUBY_VERSION > ‘1.9’
[ops:master chef-repo]$ knife data bag show secrets --secret-file ~/.chef/encrypted_data_bag_secret -Fj db-item | grep X509
"FOO_X509_PRIVATEKEY": “”,
“FOO_X509_SERVERCERT”: “”,
i do have the data bag item contents committed to git in encrypted form:
how could i use ~/.chef/encrypted_data_bag_secret to decrypt the contents of
the file in git to restore the full data bag contents to the chef server?
i suspect there’s some openssl or gpg or library incantantion to do this.
i just don’t know what.
if can get the decrypted contents into a json file, i’d then restore using:
knife data bag from file --secret-file ~/.chef/encrypted_data_bag_secret secrets decrypted.json
likely due to not having a YAML engine config in my knife.rb on one of my
systems, i think i caused some contents to drop out of one of my encrypted
data bags.
missing in knife.rb: YAML::ENGINE.yamler = 'syck' if RUBY_VERSION > '1.9'
[ops:master chef-repo]$ knife data bag show secrets --secret-file ~/.chef/encrypted_data_bag_secret -Fj db-item | grep X509
"FOO_X509_PRIVATEKEY": "",
"FOO_X509_SERVERCERT": "",
i do have the data bag item contents committed to git in encrypted form:
how could i use ~/.chef/encrypted_data_bag_secret to decrypt the contents of
the file in git to restore the full data bag contents to the chef server?
i suspect there's some openssl or gpg or library incantantion to do this.
i just don't know what.
if can get the decrypted contents into a json file, i'd then restore using:
knife data bag from file --secret-file ~/.chef/encrypted_data_bag_secret secrets decrypted.json
thanks!
kallen
As long as no other corruption has happened, whatever ruby version/yaml engine was used to create them should be able to read them.
If you have chef-client 10.18+ on your servers and client 11.0+ for knife, you can use the new format that doesn't have this problem.
likely due to not having a YAML engine config in my knife.rb on one of my
systems, i think i caused some contents to drop out of one of my encrypted
data bags.
missing in knife.rb: YAML::ENGINE.yamler = 'syck' if RUBY_VERSION > '1.9'
[ops:master chef-repo]$ knife data bag show secrets --secret-file ~/.chef/encrypted_data_bag_secret -Fj db-item | grep X509
"FOO_X509_PRIVATEKEY": "",
"FOO_X509_SERVERCERT": "",
i do have the data bag item contents committed to git in encrypted form:
how could i use ~/.chef/encrypted_data_bag_secret to decrypt the contents of
the file in git to restore the full data bag contents to the chef server?
i suspect there's some openssl or gpg or library incantantion to do this.
i just don't know what.
if can get the decrypted contents into a json file, i'd then restore using:
knife data bag from file --secret-file ~/.chef/encrypted_data_bag_secret secrets decrypted.json
thanks!
kallen
As long as no other corruption has happened, whatever ruby version/yaml engine was used to create them should be able to read them.
If you have chef-client 10.18+ on your servers and client 11.0+ for knife, you can use the new format that doesn't have this problem.
any suggestion for what to do if i don't have knife 11.0+? my clients and
servers are a mix of 10.x. my knife client on my workstation now is 10.16.