[chef] Re: restoring lost encrypted data bag item entries

[Daniel DeLeo < >]

On Friday, March 1, 2013 at 3:42 PM, wrote:

likely due to not having a YAML engine config in my knife.rb on one of my

systems, i think i caused some contents to drop out of one of my encrypted

data bags.

missing in knife.rb: YAML::ENGINE.yamler = 'syck' if RUBY_VERSION > '1.9'

[ops:master chef-repo]$ knife data bag show secrets --secret-file ~/.chef/encrypted_data_bag_secret -Fj db-item | grep X509

"FOO_X509_PRIVATEKEY": "",

"FOO_X509_SERVERCERT": "",

i do have the data bag item contents committed to git in encrypted form:

[ops:master chef-repo]$ grep FOO data_bags/secrets/db-item.json

"FOO_X509_SERVERCERT": "redacted\n",

"FOO_X509_PRIVATEKEY": "redacted\n",

how could i use ~/.chef/encrypted_data_bag_secret to decrypt the contents of

the file in git to restore the full data bag contents to the chef server?

i suspect there's some openssl or gpg or library incantantion to do this.

i just don't know what.

if can get the decrypted contents into a json file, i'd then restore using:

knife data bag from file --secret-file ~/.chef/encrypted_data_bag_secret secrets decrypted.json

thanks!

kallen

As long as no other corruption has happened, whatever ruby version/yaml engine was used to create them should be able to read them.

If you have chef-client 10.18+ on your servers and client 11.0+ for knife, you can use the new format that doesn't have this problem.

-- 

Daniel DeLeo