[chef] Re: Re: Re: Re: Recovery of encrypted data bags

[Dorian Jaminais < >]

"A `knife exec` script or knife plugin would be a pretty easy way to do it."

I will look into that

Thank you for your input

2013/5/14 Daniel DeLeo < " target="_blank"> >

On Tuesday, May 14, 2013 at 6:10 AM, Dorian Jaminais wrote:

Thanks for your answer.

So there is no way of doing so without a chef-server ?

Encrypted data bag items are just JSON data that follow a specified format for encrypting the values with a symmetric encryption algorithm (AES). There isn't a hard dependency on the server (you can use encrypted data bag items with chef-solo, for example).

If you have the JSON data on disk, and have the secret used to encrypt them it's certainly possible to recover the plain text. That said, there's no tooling in knife for doing this. You'd need to write a ruby script using the encrypted data bag item class to decrypt the data. A `knife exec` script or knife plugin would be a pretty easy way to do it. If you want to avoid coding at all costs, you could probably write a cookbook for chef-solo to extract the data bags.

Of course, if you've lost the secret used to encrypt the data bags, the data within them is gone.

-- 

Daniel DeLeo

--

Dorian JAMINAIS

System Administrator
+33 6 95 10 95 37