Using multiple keys to read different encrypted databags on the same node

Bryan_Berry · November 2, 2011, 6:24pm

I have the use case where I have certain secrets that all my machines need
access to, say the password that our lousy backup software uses, and other
secrets that only certain machines need access to, such as the the username
and password that a GIS application uses to access the database.

I hacked together a little solution. Does anyone else find this useful?

It requires having the following value in your client.rb

encrypted_data_bag_secret_path “/some/path/”

encrypted_data_bag_item.rb

  def self.load_alt_key(data_bag, name, secret_file)

```
path = "data/#{data_bag}/#{name}"
```

raw_hash = Chef::DataBagItem.load(data_bag, name)

          if Chef::Config[:encrypted_data_bag_secret_path] and

secret_file

```
                  secret_file =
```

Chef::Config[:encrypted_data_bag_secret_path] + ‘/’ + secret_file

```
          else
```

                  raise ArgumentError, "Invalid secret_file or

encrypted_data_bag_secret_path"

```
          end
```
```
secret = self.load_secret(secret_file)
```
```
self.new(raw_hash, secret)
```
end

Topic		Replies	Views
Encrypted Data Bags - Multiple Secrets? Chef Infra (archive)	0	491	January 23, 2017
Suggested patch to chef to enable passing the data bag secret to a node, bypassing storage on the server Chef Infra (archive)	0	250	November 7, 2011
Encrypted Data Bags - Preemptive Key Retrieval Chef Infra (archive)	1	350	January 23, 2015
Using encrypted data bags in cookbooks? Chef Infra (archive)	9	318	January 22, 2015
Unable to decrypt data bag in default.rb Chef Infra (archive)	1	1416	April 22, 2016

Using multiple keys to read different encrypted databags on the same node

Related Topics