Using encrypted data bags in cookbooks?


#1

Client: v12.0.3
Server: Chef 12 Enterprise

I’m encrypting my data bags, but now of course would want to use them when I run my cookbooks in my nodes. This means that I’ll need to decrypt my data bag, which in turn means I’ll need the key. One solution I’ve been reading is to copy the key file in the node’s /etc/chef/* directory during the bootstrap process. I read this http://lists.opscode.com/sympa/arc/chef/2013-04/msg00142.html, which shows adding this line in the knife.rb file

encrypted_data_bag_secret “#{home_dir}/.chef/encrypted_data_bag_secret”

…which will then automagically copy the file over to the node. However, I don’t see /etc/chef/encrypted_data_bag file in the boostrapped node.

What am I missing?

Chris


#2

Are you using a custom bootstrap template? Check your template to ensure that your template includes the encrypted_data_bag_secret logic https://github.com/opscode/chef/blob/master/lib/chef/knife/bootstrap/chef-full.erb#L46

Is the correct path being used in your knife config?

On Wednesday, January 21, 2015 at 2:38 PM, Fouts, Chris wrote:

Client: v12.0.3
Server: Chef 12 Enterprise

I’m encrypting my data bags, but now of course would want to use them when I run my cookbooks in my nodes. This means that I’ll need to decrypt my data bag, which in turn means I’ll need the key. One solution I’ve been reading is to copy the key file in the node’s /etc/chef/* directory during the bootstrap process. I read this http://lists.opscode.com/sympa/arc/chef/2013-04/msg00142.html, which shows adding this line in the knife.rb file

encrypted_data_bag_secret “#{home_dir}/.chef/encrypted_data_bag_secret”

…which will then automagically copy the file over to the node. However, I don’t see /etc/chef/encrypted_data_bag file in the boostrapped node.

What am I missing?

Chris


#3

No, using default bootstrap template (chef-full)

Chris

From: Daniel Condomitti [mailto:daniel@condomitti.com]
Sent: Wednesday, January 21, 2015 2:45 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Using encrypted data bags in cookbooks?

Are you using a custom bootstrap template? Check your template to ensure that your template includes the encrypted_data_bag_secret logic https://github.com/opscode/chef/blob/master/lib/chef/knife/bootstrap/chef-full.erb#L46

Is the correct path being used in your knife config?

On Wednesday, January 21, 2015 at 2:38 PM, Fouts, Chris wrote:

Client: v12.0.3

Server: Chef 12 Enterprise

I’m encrypting my data bags, but now of course would want to use them when I run my cookbooks in my nodes. This means that I’ll need to decrypt my data bag, which in turn means I’ll need the key. One solution I’ve been reading is to copy the key file in the node’s /etc/chef/* directory during the bootstrap process. I read this http://lists.opscode.com/sympa/arc/chef/2013-04/msg00142.html, which shows adding this line in the knife.rb file

encrypted_data_bag_secret “#{home_dir}/.chef/encrypted_data_bag_secret”

…which will then automagically copy the file over to the node. However, I don’t see /etc/chef/encrypted_data_bag file in the boostrapped node.

What am I missing?

Chris


#4

I have this in my knife.rb file

…….
validation_key "#{current_dir}/validator.pem"
encrypted_data_bag_secret “#{current_dir}/encrypted_data_bag_secret”
…….

The knife.rb, validator.pem, and encrypted_data_bag_secret files are in <some_path>/.chef directory.

Chris

From: Daniel Condomitti [mailto:daniel@condomitti.com]
Sent: Wednesday, January 21, 2015 2:45 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Using encrypted data bags in cookbooks?

Are you using a custom bootstrap template? Check your template to ensure that your template includes the encrypted_data_bag_secret logic https://github.com/opscode/chef/blob/master/lib/chef/knife/bootstrap/chef-full.erb#L46

Is the correct path being used in your knife config?

On Wednesday, January 21, 2015 at 2:38 PM, Fouts, Chris wrote:

Client: v12.0.3

Server: Chef 12 Enterprise

I’m encrypting my data bags, but now of course would want to use them when I run my cookbooks in my nodes. This means that I’ll need to decrypt my data bag, which in turn means I’ll need the key. One solution I’ve been reading is to copy the key file in the node’s /etc/chef/* directory during the bootstrap process. I read this http://lists.opscode.com/sympa/arc/chef/2013-04/msg00142.html, which shows adding this line in the knife.rb file

encrypted_data_bag_secret “#{home_dir}/.chef/encrypted_data_bag_secret”

…which will then automagically copy the file over to the node. However, I don’t see /etc/chef/encrypted_data_bag file in the boostrapped node.

What am I missing?

Chris


#5

You need to scp the file to your node at /etc/chef/encrypted_data_bag_secret

On Wed, Jan 21, 2015 at 6:09 PM, Fouts, Chris Chris.Fouts@sensus.com
wrote:

I have this in my knife.rb file

…….

validation_key “#{current_dir}/validator.pem”

encrypted_data_bag_secret “#{current_dir}/encrypted_data_bag_secret”

…….

The knife.rb, validator.pem, and encrypted_data_bag_secret files are in
<some_path>/.chef directory.

Chris

From: Daniel Condomitti [mailto:daniel@condomitti.com]
Sent: Wednesday, January 21, 2015 2:45 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Using encrypted data bags in cookbooks?

Are you using a custom bootstrap template? Check your template to ensure
that your template includes the encrypted_data_bag_secret logic
https://github.com/opscode/chef/blob/master/lib/chef/knife/bootstrap/chef-full.erb#L46

Is the correct path being used in your knife config?

On Wednesday, January 21, 2015 at 2:38 PM, Fouts, Chris wrote:

Client: v12.0.3

Server: Chef 12 Enterprise

I’m encrypting my data bags, but now of course would want to use them when
I run my cookbooks in my nodes. This means that I’ll need to decrypt my
data bag, which in turn means I’ll need the key. One solution I’ve been
reading is to copy the key file in the node’s /etc/chef/* directory during
the bootstrap process. I read this
http://lists.opscode.com/sympa/arc/chef/2013-04/msg00142.html, which
shows adding this line in the knife.rb file

encrypted_data_bag_secret “#{home_dir}/.chef/encrypted_data_bag_secret”

…which will then automagically copy the file over to the node. However, I
don’t see /etc/chef/encrypted_data_bag file in the boostrapped node.

What am I missing?

Chris


– Tiago Cruz


#6

Thanks, but I was under the impression that the bootstrap (even the default template) will do this for me, using the same process it does to copy the validator.pem locally to the node. I see this in the chef-full.erb file

<% if encrypted_data_bag_secret -%>
cat > /etc/chef/encrypted_data_bag_secret <<‘EOP’
<%= encrypted_data_bag_secret %>
EOP
chmod 0600 /etc/chef/encrypted_data_bag_secret
<% end -%>

Chris
From: Tiago Cruz [mailto:tiago.tuxkiller@gmail.com]
Sent: Wednesday, January 21, 2015 3:27 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Using encrypted data bags in cookbooks?

You need to scp the file to your node at /etc/chef/encrypted_data_bag_secret

On Wed, Jan 21, 2015 at 6:09 PM, Fouts, Chris <Chris.Fouts@sensus.commailto:Chris.Fouts@sensus.com> wrote:
I have this in my knife.rb file

…….
validation_key "#{current_dir}/validator.pem"
encrypted_data_bag_secret “#{current_dir}/encrypted_data_bag_secret”
…….

The knife.rb, validator.pem, and encrypted_data_bag_secret files are in <some_path>/.chef directory.

Chris

From: Daniel Condomitti [mailto:daniel@condomitti.commailto:daniel@condomitti.com]
Sent: Wednesday, January 21, 2015 2:45 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: Using encrypted data bags in cookbooks?

Are you using a custom bootstrap template? Check your template to ensure that your template includes the encrypted_data_bag_secret logic https://github.com/opscode/chef/blob/master/lib/chef/knife/bootstrap/chef-full.erb#L46

Is the correct path being used in your knife config?

On Wednesday, January 21, 2015 at 2:38 PM, Fouts, Chris wrote:

Client: v12.0.3

Server: Chef 12 Enterprise

I’m encrypting my data bags, but now of course would want to use them when I run my cookbooks in my nodes. This means that I’ll need to decrypt my data bag, which in turn means I’ll need the key. One solution I’ve been reading is to copy the key file in the node’s /etc/chef/* directory during the bootstrap process. I read this http://lists.opscode.com/sympa/arc/chef/2013-04/msg00142.html, which shows adding this line in the knife.rb file

encrypted_data_bag_secret “#{home_dir}/.chef/encrypted_data_bag_secret”

…which will then automagically copy the file over to the node. However, I don’t see /etc/chef/encrypted_data_bag file in the boostrapped node.

What am I missing?

Chris


– Tiago Cruz


#7

It looks like your knife config is wrong. Can you puts the value of
the encrypted_data_bag_secret after setting it? does that path expand
properly?

“#{home_dir}/.chef/encrypted_data_bag_secret”

do you have a local variable called “home_dir” in your knife.rb ? this
ruby string expansion relies on it. if nil, the path is probably
borked.

chuck puts encrypted_data_bag_secret in you config and see what it reckons

cheers,

–aj

On Thu, Jan 22, 2015 at 10:26 AM, Fouts, Chris Chris.Fouts@sensus.com wrote:

Thanks, but I was under the impression that the bootstrap (even the default
template) will do this for me, using the same process it does to copy the
validator.pem locally to the node. I see this in the chef-full.erb file

<% if encrypted_data_bag_secret -%>

cat > /etc/chef/encrypted_data_bag_secret <<‘EOP’

<%= encrypted_data_bag_secret %>

EOP

chmod 0600 /etc/chef/encrypted_data_bag_secret

<% end -%>

Chris

From: Tiago Cruz [mailto:tiago.tuxkiller@gmail.com]
Sent: Wednesday, January 21, 2015 3:27 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Using encrypted data bags in cookbooks?

You need to scp the file to your node at /etc/chef/encrypted_data_bag_secret

On Wed, Jan 21, 2015 at 6:09 PM, Fouts, Chris Chris.Fouts@sensus.com
wrote:

I have this in my knife.rb file

…….

validation_key “#{current_dir}/validator.pem”

encrypted_data_bag_secret “#{current_dir}/encrypted_data_bag_secret”

…….

The knife.rb, validator.pem, and encrypted_data_bag_secret files are in
<some_path>/.chef directory.

Chris

From: Daniel Condomitti [mailto:daniel@condomitti.com]
Sent: Wednesday, January 21, 2015 2:45 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Using encrypted data bags in cookbooks?

Are you using a custom bootstrap template? Check your template to ensure
that your template includes the encrypted_data_bag_secret logic
https://github.com/opscode/chef/blob/master/lib/chef/knife/bootstrap/chef-full.erb#L46

Is the correct path being used in your knife config?

On Wednesday, January 21, 2015 at 2:38 PM, Fouts, Chris wrote:

Client: v12.0.3

Server: Chef 12 Enterprise

I’m encrypting my data bags, but now of course would want to use them when I
run my cookbooks in my nodes. This means that I’ll need to decrypt my data
bag, which in turn means I’ll need the key. One solution I’ve been reading
is to copy the key file in the node’s /etc/chef/* directory during the
bootstrap process. I read this
http://lists.opscode.com/sympa/arc/chef/2013-04/msg00142.html, which shows
adding this line in the knife.rb file

encrypted_data_bag_secret “#{home_dir}/.chef/encrypted_data_bag_secret”

…which will then automagically copy the file over to the node. However, I
don’t see /etc/chef/encrypted_data_bag file in the boostrapped node.

What am I missing?

Chris

– Tiago Cruz


#8

Like I said, I have this in my knife.rb file.
…….
validation_key "#{current_dir}/validator.pem"
encrypted_data_bag_secret “#{current_dir}/encrypted_data_bag_secret”

My knife.rb, validator.pem, encrypted_data_bag_secret, are all on my <some_dir>/.chef directory. If it works for the validation_key property, why not the encrypted_data_bag_secret property? I did a puts and, you’re correct, it’s not expanding the <%= encrypted_data_bag_secret %>, but why?

Chris

-----Original Message-----
From: AJ Christensen [mailto:aj@junglistheavy.industries]
Sent: Wednesday, January 21, 2015 5:28 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: RE: Re: Using encrypted data bags in cookbooks?

It looks like your knife config is wrong. Can you puts the value of the encrypted_data_bag_secret after setting it? does that path expand properly?

“#{home_dir}/.chef/encrypted_data_bag_secret”

do you have a local variable called “home_dir” in your knife.rb ? this ruby string expansion relies on it. if nil, the path is probably borked.

chuck puts encrypted_data_bag_secret in you config and see what it reckons

cheers,

–aj

On Thu, Jan 22, 2015 at 10:26 AM, Fouts, Chris Chris.Fouts@sensus.com wrote:

Thanks, but I was under the impression that the bootstrap (even the
default
template) will do this for me, using the same process it does to copy
the validator.pem locally to the node. I see this in the chef-full.erb
file

<% if encrypted_data_bag_secret -%>

cat > /etc/chef/encrypted_data_bag_secret <<‘EOP’

<%= encrypted_data_bag_secret %>

EOP

chmod 0600 /etc/chef/encrypted_data_bag_secret

<% end -%>

Chris

From: Tiago Cruz [mailto:tiago.tuxkiller@gmail.com]
Sent: Wednesday, January 21, 2015 3:27 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Using encrypted data bags in cookbooks?

You need to scp the file to your node at
/etc/chef/encrypted_data_bag_secret

On Wed, Jan 21, 2015 at 6:09 PM, Fouts, Chris Chris.Fouts@sensus.com
wrote:

I have this in my knife.rb file

…….

validation_key “#{current_dir}/validator.pem”

encrypted_data_bag_secret “#{current_dir}/encrypted_data_bag_secret”

…….

The knife.rb, validator.pem, and encrypted_data_bag_secret files are
in <some_path>/.chef directory.

Chris

From: Daniel Condomitti [mailto:daniel@condomitti.com]
Sent: Wednesday, January 21, 2015 2:45 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Using encrypted data bags in cookbooks?

Are you using a custom bootstrap template? Check your template to
ensure that your template includes the encrypted_data_bag_secret logic
https://github.com/opscode/chef/blob/master/lib/chef/knife/bootstrap/c
hef-full.erb#L46

Is the correct path being used in your knife config?

On Wednesday, January 21, 2015 at 2:38 PM, Fouts, Chris wrote:

Client: v12.0.3

Server: Chef 12 Enterprise

I’m encrypting my data bags, but now of course would want to use them
when I run my cookbooks in my nodes. This means that I’ll need to
decrypt my data bag, which in turn means I’ll need the key. One
solution I’ve been reading is to copy the key file in the node’s
/etc/chef/* directory during the bootstrap process. I read this
http://lists.opscode.com/sympa/arc/chef/2013-04/msg00142.html, which
shows adding this line in the knife.rb file

encrypted_data_bag_secret “#{home_dir}/.chef/encrypted_data_bag_secret”

…which will then automagically copy the file over to the node.
However, I don’t see /etc/chef/encrypted_data_bag file in the boostrapped node.

What am I missing?

Chris

– Tiago Cruz


#9

My knife.rb says:
knife[:secret_file] = "#{current_dir}/encrypted_data_bag_secret"
Try that.

On Thu, Jan 22, 2015 at 2:55 PM, Fouts, Chris Chris.Fouts@sensus.com
wrote:

Like I said, I have this in my knife.rb file.
…….
validation_key "#{current_dir}/validator.pem"
encrypted_data_bag_secret “#{current_dir}/encrypted_data_bag_secret”

My knife.rb, validator.pem, encrypted_data_bag_secret, are all on my
<some_dir>/.chef directory. If it works for the validation_key property,
why not the encrypted_data_bag_secret property? I did a puts and, you’re
correct, it’s not expanding the <%= encrypted_data_bag_secret %>, but why?

Chris

-----Original Message-----
From: AJ Christensen [mailto:aj@junglistheavy.industries]
Sent: Wednesday, January 21, 2015 5:28 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: RE: Re: Using encrypted data bags in cookbooks?

It looks like your knife config is wrong. Can you puts the value of the
encrypted_data_bag_secret after setting it? does that path expand properly?

“#{home_dir}/.chef/encrypted_data_bag_secret”

do you have a local variable called “home_dir” in your knife.rb ? this
ruby string expansion relies on it. if nil, the path is probably borked.

chuck puts encrypted_data_bag_secret in you config and see what it
reckons

cheers,

–aj

On Thu, Jan 22, 2015 at 10:26 AM, Fouts, Chris Chris.Fouts@sensus.com
wrote:

Thanks, but I was under the impression that the bootstrap (even the
default
template) will do this for me, using the same process it does to copy
the validator.pem locally to the node. I see this in the chef-full.erb
file

<% if encrypted_data_bag_secret -%>

cat > /etc/chef/encrypted_data_bag_secret <<‘EOP’

<%= encrypted_data_bag_secret %>

EOP

chmod 0600 /etc/chef/encrypted_data_bag_secret

<% end -%>

Chris

From: Tiago Cruz [mailto:tiago.tuxkiller@gmail.com]
Sent: Wednesday, January 21, 2015 3:27 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Using encrypted data bags in cookbooks?

You need to scp the file to your node at
/etc/chef/encrypted_data_bag_secret

On Wed, Jan 21, 2015 at 6:09 PM, Fouts, Chris Chris.Fouts@sensus.com
wrote:

I have this in my knife.rb file

…….

validation_key “#{current_dir}/validator.pem”

encrypted_data_bag_secret “#{current_dir}/encrypted_data_bag_secret”

…….

The knife.rb, validator.pem, and encrypted_data_bag_secret files are
in <some_path>/.chef directory.

Chris

From: Daniel Condomitti [mailto:daniel@condomitti.com]
Sent: Wednesday, January 21, 2015 2:45 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Using encrypted data bags in cookbooks?

Are you using a custom bootstrap template? Check your template to
ensure that your template includes the encrypted_data_bag_secret logic
https://github.com/opscode/chef/blob/master/lib/chef/knife/bootstrap/c
hef-full.erb#L46

Is the correct path being used in your knife config?

On Wednesday, January 21, 2015 at 2:38 PM, Fouts, Chris wrote:

Client: v12.0.3

Server: Chef 12 Enterprise

I’m encrypting my data bags, but now of course would want to use them
when I run my cookbooks in my nodes. This means that I’ll need to
decrypt my data bag, which in turn means I’ll need the key. One
solution I’ve been reading is to copy the key file in the node’s
/etc/chef/* directory during the bootstrap process. I read this
http://lists.opscode.com/sympa/arc/chef/2013-04/msg00142.html, which
shows adding this line in the knife.rb file

encrypted_data_bag_secret “#{home_dir}/.chef/encrypted_data_bag_secret”

…which will then automagically copy the file over to the node.
However, I don’t see /etc/chef/encrypted_data_bag file in the
boostrapped node.

What am I missing?

Chris

– Tiago Cruz


#10

Thanks you, that work!

Chris

From: Fabien Delpierre [mailto:fabien.delpierre@gmail.com]
Sent: Thursday, January 22, 2015 3:07 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: RE: Re: RE: Re: Using encrypted data bags in cookbooks?

My knife.rb says:
knife[:secret_file] = "#{current_dir}/encrypted_data_bag_secret"
Try that.

On Thu, Jan 22, 2015 at 2:55 PM, Fouts, Chris <Chris.Fouts@sensus.commailto:Chris.Fouts@sensus.com> wrote:
Like I said, I have this in my knife.rb file.
…….
validation_key "#{current_dir}/validator.pem"
encrypted_data_bag_secret “#{current_dir}/encrypted_data_bag_secret”

My knife.rb, validator.pem, encrypted_data_bag_secret, are all on my <some_dir>/.chef directory. If it works for the validation_key property, why not the encrypted_data_bag_secret property? I did a puts and, you’re correct, it’s not expanding the <%= encrypted_data_bag_secret %>, but why?

Chris

-----Original Message-----
From: AJ Christensen [mailto:aj@junglistheavy.industriesmailto:aj@junglistheavy.industries]
Sent: Wednesday, January 21, 2015 5:28 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: RE: Re: RE: Re: Using encrypted data bags in cookbooks?

It looks like your knife config is wrong. Can you puts the value of the encrypted_data_bag_secret after setting it? does that path expand properly?

“#{home_dir}/.chef/encrypted_data_bag_secret”

do you have a local variable called “home_dir” in your knife.rb ? this ruby string expansion relies on it. if nil, the path is probably borked.

chuck puts encrypted_data_bag_secret in you config and see what it reckons

cheers,

–aj

On Thu, Jan 22, 2015 at 10:26 AM, Fouts, Chris <Chris.Fouts@sensus.commailto:Chris.Fouts@sensus.com> wrote:

Thanks, but I was under the impression that the bootstrap (even the
default
template) will do this for me, using the same process it does to copy
the validator.pem locally to the node. I see this in the chef-full.erb
file

<% if encrypted_data_bag_secret -%>

cat > /etc/chef/encrypted_data_bag_secret <<‘EOP’

<%= encrypted_data_bag_secret %>

EOP

chmod 0600 /etc/chef/encrypted_data_bag_secret

<% end -%>

Chris

From: Tiago Cruz [mailto:tiago.tuxkiller@gmail.commailto:tiago.tuxkiller@gmail.com]
Sent: Wednesday, January 21, 2015 3:27 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Using encrypted data bags in cookbooks?

You need to scp the file to your node at
/etc/chef/encrypted_data_bag_secret

On Wed, Jan 21, 2015 at 6:09 PM, Fouts, Chris <Chris.Fouts@sensus.commailto:Chris.Fouts@sensus.com>
wrote:

I have this in my knife.rb file

…….

validation_key “#{current_dir}/validator.pem”

encrypted_data_bag_secret “#{current_dir}/encrypted_data_bag_secret”

…….

The knife.rb, validator.pem, and encrypted_data_bag_secret files are
in <some_path>/.chef directory.

Chris

From: Daniel Condomitti [mailto:daniel@condomitti.commailto:daniel@condomitti.com]
Sent: Wednesday, January 21, 2015 2:45 PM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: Using encrypted data bags in cookbooks?

Are you using a custom bootstrap template? Check your template to
ensure that your template includes the encrypted_data_bag_secret logic
https://github.com/opscode/chef/blob/master/lib/chef/knife/bootstrap/c
hef-full.erb#L46

Is the correct path being used in your knife config?

On Wednesday, January 21, 2015 at 2:38 PM, Fouts, Chris wrote:

Client: v12.0.3

Server: Chef 12 Enterprise

I’m encrypting my data bags, but now of course would want to use them
when I run my cookbooks in my nodes. This means that I’ll need to
decrypt my data bag, which in turn means I’ll need the key. One
solution I’ve been reading is to copy the key file in the node’s
/etc/chef/* directory during the bootstrap process. I read this
http://lists.opscode.com/sympa/arc/chef/2013-04/msg00142.html, which
shows adding this line in the knife.rb file

encrypted_data_bag_secret “#{home_dir}/.chef/encrypted_data_bag_secret”

…which will then automagically copy the file over to the node.
However, I don’t see /etc/chef/encrypted_data_bag file in the boostrapped node.

What am I missing?

Chris

– Tiago Cruz