Chef – Creating encrypted data bags with Knife Solo

In order to use data bags with Chef Solo there is  a requirement to use the knife-solo_data_bag plugin maintained by Tommy Bishop which allows you to work withchef-solo and data bags. Once we have obtained the plugin, we will need to install the rubygem in our existing envrionment and configure the knife-solo plugin.

gem install knife-solo_data_bag

Once installed we can confirm we have a list of available knife solo command options available, as below:






In this example, the chef-solo repository is located on a Windows operating system, so we will create the knife-solo (~/.chef/knife.rb) configuration file and include the application (Notepad++) to be used as the knife editor when creating encrypted data bag items.

Finally, we will update our chef-solo configuration file with location of the data bag path to complete the configuration.

mkdir C:\chef-solo\.chef
mkdir C:\chef-solo\data_bags
echo "knife[:editor] = '"C:\Program Files (x86)\Notepad++\notepad++.exe" -nosession -multiInst'" > C:/chef-solo/.chef/knife.rb
echo data_bag_path   File.join(chefsolo, 'data_bags') >> C:\chef-solo\solo.rb

In order to create an encrypted data bag we need to generate a shared secret or a secret key, in this example I will generate a secret key using OpenSSL and output the content to a file (secret_key).

openssl rand -base64 512 | tr -d '\r\n' > secret_key

Now that we have our secret key we can now create an encrypted data bag, by invoking the following command to create the data bag ‘databag1’ with a item list of ‘databag1_passwords’.

knife solo data bag create databag1 databag1_passwords --secret-file secret_key -c C:\chef\.chef\knife.rb

The application to which you configured to be the knife editor will now generate and open a JSON file

 "id": "data_bag1_passwords"

We can now modify this file to include items we wish to store in the data bag, in my example a password value for both ‘service_account_1’ and ‘service_account_2’.

 "id": "data_bag1_passwords",
 "service_account_1": "ds879HBKJHBJH!*£",
 "service_account_2": "dasw87698KJBHB£*"

Once we have added the to list of items and saved the file, close your text editor to which the the knife-solo plugin should now return a success code similar to  ‘Created data_bag_item[data_bag1_passwords]’ to confirm the data bag item has been successful created.  Now lets check the content of the data bag item created in the chef-solo repository:

 "id": "data_bag1_passwords",
 "service_account_1": {
 "encrypted_data": "PCo7jiL8D4T+0EC5M1GvzqvNAIoVHtLF4i5M4VGtZjQYoV2KvFU6Qz3DgD1o\nvgug\n",
 "iv": "V8e9FY6EPlbMGSfBCkJgVQ==\n",
 "version": 1,
 "cipher": "aes-256-cbc"
 "service_account_2": {
 "encrypted_data": "Eh2NdqY/tPNbEBe+Du1LQmz8LTvGjj0zAv6aWYUp60RCOA7jkDb0NV7DgL84\nCSpY\n",
 "iv": "11PLeX4rvTyotGUgYQhYRA==\n",
 "version": 1,
 "cipher": "aes-256-cbc"

So once we have created the encrypted data bag how do we leverage this information, we can load the secret key and items using the Chef::EncryptedDataBagItem class and declare a variable for the item we require to use.

secret_key = Chef::EncryptedDataBagItem.load_secret("C:\chef-solo\_secret_key")
passwords = Chef::EncryptedDataBagItem.load('databag1', 'databag1_passwords', secret_key)
service_account_1_password = passwords['service_account_1']

All that now is required is to specify the variable in your attribute or recipie, as follows:





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s