Chef Decryption of Data Bags and Retrieval of Key

2019-08-14 01:03发布

站内问答 / 移动开发
1319 1 5

I am using an encrypted data bag to encrypt an ssh key and decrypted it via Chef. The data bag had an id of pwind_ssh_rsa_pub_cred, but what I really want is the unencrypted data for the ssh key. I want to then take the key and append it to a file, but the code that I have currently is running into some issues. With static values, the below code works. Additionally, I am a big confused as to what the type is of "decrypted_ssh".

ruby_block "obtainCredentials" do
    block do
        hadoop_key = Chef::EncryptedDataBagItem.load_secret("/home/ec2-user/project_data_bag_key")
        decrypted_ssh = Chef::EncryptedDataBagItem.load("pwind_keys", "pwind_ssh_rsa_pub_credentials", hadoop_key)
        Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut)
        command = "su - 'root' -c 'cd /home/ec2-user; cd .ssh; echo #{decrypted_ssh} >> .authorized_keys'"
        shell(command)
    end
end

What modifications should be done to get this ssh key decrypted and out of the encrypted data bag? Any suggestions would be much appreciated!

1条回答
放荡不羁爱自由
2楼-- · 2019-08-14 01:39

You need to select an element from the decrypted databag item.

Complete example:

Create key and databag item:

$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret

$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z

Content:

{
  "id": "secretstuff",
  "firstsecret": "must remain secret",
  "secondsecret": "also very secret"
}

Verify:

$ knife data bag show mydatabag secretstuff -z
WARNING: Encrypted data bag detected, but no secret provided for decoding.  Displaying encrypted data.
firstsecret:
  cipher:         aes-256-cbc
  encrypted_data: VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0
  qvhn

  iv:             MhG09xFcwFAqX/IA3BusMg==

  version:        1
id:           secretstuff
secondsecret:
  cipher:         aes-256-cbc
  encrypted_data: Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI
  UJ2J

  iv:             66AcYpoF4xw/rnYfPegPLw==

  version:        1

cookbooks/test/recipes/test.rb

decrypted = data_bag_item('mydatabag', 'secretstuff', IO.read('/tmp/encrypted_data_bag_secret'))
log "firstsecret: #{decrypted['firstsecret']}"
log "secondsecret: #{decrypted['secondsecret']}"

Execute recipe

# chef-client -z -o 'recipe[test::test]'
...
Recipe: test::test
  * log[firstsecret: must remain secret] action write

  * log[secondsecret: also very secret] action write
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)