chef - [chef] Re: Re: Re: Recovery of encrypted data bags

First login ?
Lost password ?

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: Re: Recovery of encrypted data bags

From: Daniel DeLeo < >
To:
Subject: [chef] Re: Re: Re: Recovery of encrypted data bags
Date: Tue, 14 May 2013 08:20:36 -0700

On Tuesday, May 14, 2013 at 6:10 AM, Dorian Jaminais wrote:

Thanks for your answer.

So there is no way of doing so without a chef-server ?

Encrypted data bag items are just JSON data that follow a specified format for encrypting the values with a symmetric encryption algorithm (AES). There isn't a hard dependency on the server (you can use encrypted data bag items with chef-solo, for example).

If you have the JSON data on disk, and have the secret used to encrypt them it's certainly possible to recover the plain text. That said, there's no tooling in knife for doing this. You'd need to write a ruby script using the encrypted data bag item class to decrypt the data. A `knife exec` script or knife plugin would be a pretty easy way to do it. If you want to avoid coding at all costs, you could probably write a cookbook for chef-solo to extract the data bags.

Of course, if you've lost the secret used to encrypt the data bags, the data within them is gone.

Daniel DeLeo

[chef] Recovery of encrypted data bags, Dorian Jaminais, 05/14/2013
- [chef] Re: Recovery of encrypted data bags, Kevin Yank, 05/14/2013
  - [chef] Re: Re: Recovery of encrypted data bags, Dorian Jaminais, 05/14/2013
    - [chef] Re: Re: Re: Recovery of encrypted data bags, Daniel DeLeo, 05/14/2013
      - [chef] Re: Re: Re: Re: Recovery of encrypted data bags, Dorian Jaminais, 05/15/2013