Restoring lost encrypted data bag item entries


#1

likely due to not having a YAML engine config in my knife.rb on one of my
systems, i think i caused some contents to drop out of one of my encrypted
data bags.

missing in knife.rb: YAML::ENGINE.yamler = ‘syck’ if RUBY_VERSION > ‘1.9’

[ops:master chef-repo]$ knife data bag show secrets --secret-file ~/.chef/encrypted_data_bag_secret -Fj db-item | grep X509
"FOO_X509_PRIVATEKEY": “”,
“FOO_X509_SERVERCERT”: “”,

i do have the data bag item contents committed to git in encrypted form:

[ops:master chef-repo]$ grep FOO data_bags/secrets/db-item.json
"FOO_X509_SERVERCERT": “redacted\n”,
“FOO_X509_PRIVATEKEY”: “redacted\n”,

how could i use ~/.chef/encrypted_data_bag_secret to decrypt the contents of
the file in git to restore the full data bag contents to the chef server?
i suspect there’s some openssl or gpg or library incantantion to do this.
i just don’t know what.

if can get the decrypted contents into a json file, i’d then restore using:

knife data bag from file --secret-file ~/.chef/encrypted_data_bag_secret secrets decrypted.json

thanks!
kallen


#2

On Friday, March 1, 2013 at 3:42 PM, kallen@groknaut.net wrote:

likely due to not having a YAML engine config in my knife.rb on one of my
systems, i think i caused some contents to drop out of one of my encrypted
data bags.

missing in knife.rb: YAML::ENGINE.yamler = ‘syck’ if RUBY_VERSION > ‘1.9’

[ops:master chef-repo]$ knife data bag show secrets --secret-file ~/.chef/encrypted_data_bag_secret -Fj db-item | grep X509
"FOO_X509_PRIVATEKEY": “”,
“FOO_X509_SERVERCERT”: “”,

i do have the data bag item contents committed to git in encrypted form:

[ops:master chef-repo]$ grep FOO data_bags/secrets/db-item.json
"FOO_X509_SERVERCERT": “redacted\n”,
“FOO_X509_PRIVATEKEY”: “redacted\n”,

how could i use ~/.chef/encrypted_data_bag_secret to decrypt the contents of
the file in git to restore the full data bag contents to the chef server?
i suspect there’s some openssl or gpg or library incantantion to do this.
i just don’t know what.

if can get the decrypted contents into a json file, i’d then restore using:

knife data bag from file --secret-file ~/.chef/encrypted_data_bag_secret secrets decrypted.json

thanks!
kallen

As long as no other corruption has happened, whatever ruby version/yaml engine was used to create them should be able to read them.

If you have chef-client 10.18+ on your servers and client 11.0+ for knife, you can use the new format that doesn’t have this problem.


Daniel DeLeo


#3

ah! i just upgraded my knife client (chef) on my local rvm install, it bumped
up to chef-11.4.0, and now i can see the data bag contents.

thanks

On Fri, 01 Mar 2013, Daniel DeLeo wrote:

On Friday, March 1, 2013 at 3:42 PM, kallen@groknaut.net wrote:

likely due to not having a YAML engine config in my knife.rb on one of my
systems, i think i caused some contents to drop out of one of my encrypted
data bags.

missing in knife.rb: YAML::ENGINE.yamler = ‘syck’ if RUBY_VERSION > ‘1.9’

[ops:master chef-repo]$ knife data bag show secrets --secret-file ~/.chef/encrypted_data_bag_secret -Fj db-item | grep X509
"FOO_X509_PRIVATEKEY": “”,
“FOO_X509_SERVERCERT”: “”,

i do have the data bag item contents committed to git in encrypted form:

[ops:master chef-repo]$ grep FOO data_bags/secrets/db-item.json
"FOO_X509_SERVERCERT": “redacted\n”,
“FOO_X509_PRIVATEKEY”: “redacted\n”,

how could i use ~/.chef/encrypted_data_bag_secret to decrypt the contents of
the file in git to restore the full data bag contents to the chef server?
i suspect there’s some openssl or gpg or library incantantion to do this.
i just don’t know what.

if can get the decrypted contents into a json file, i’d then restore using:

knife data bag from file --secret-file ~/.chef/encrypted_data_bag_secret secrets decrypted.json

thanks!
kallen

As long as no other corruption has happened, whatever ruby version/yaml engine was used to create them should be able to read them.

If you have chef-client 10.18+ on your servers and client 11.0+ for knife, you can use the new format that doesn’t have this problem.

any suggestion for what to do if i don’t have knife 11.0+? my clients and
servers are a mix of 10.x. my knife client on my workstation now is 10.16.

do you know if 11.0+ is installable via gem?


#4

On Friday, March 1, 2013 at 4:01 PM, kallen@groknaut.net wrote:

ah! i just upgraded my knife client (chef) on my local rvm install, it bumped
up to chef-11.4.0, and now i can see the data bag contents.

Just beware of this before you start uploading encrypted data bag items using Chef 11:

http://docs.opscode.com/breaking_changes_chef_11.html#changes-for-data-bag-encryption


Daniel DeLeo