Chef – Encrypted Data-bags example

Create your encrypt/decrypt “key”

$ openssl rand -base64 512 > ~/.chef/encrypted_data_bag_secret

Create a new “data bag” named “mysecrets”

$ knife data bag create mysecrets

Create a new json with information that you want encrypted.

This will be stored inside the “data bag” named “mysecrets”
This will use the “key” you created earlier to encrypt
We will store this as “marioworld”

$ knife data bag create mysecrets marioworld –secret-file ~/.chef/encrypted_data_bag_secret
* This will prompt open an editor to add items to json

{ "id": "marioworld",
"user": "luigi"
"pass": "yahoo"

Now Create a simple recipe and template file that will utilize this encrypted “data bag”

Create the Recipe

$ knife cookbook create databag-test
$ cd ~/chef-repo/cookbooks/recipes/
$ vi default.rb

# Cookbook Name:: databag-test
# Recipe:: default
# Copyright 2012, James Tran
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# See the License for the specific language governing permissions and
# limitations under the License.

# This is where you will store a copy of your key on the chef-client
secret = Chef::EncryptedDataBagItem.load_secret("/etc/chef/encrypted_data_bag_secret")

# This decrypts the data bag contents of "mysecrets->marioworld" and uses the key defined at variable "secret"
luigi_keys = Chef::EncryptedDataBagItem.load("mysecrets", "marioworld", secret)

template "/tmp/databag" do
     variables(:mypass => luigi_keys['pass'],
               :myuser => luigi_keys['user'])
     owner "root"
     mode  "0644"
     source "databag_test.erb"

Create the Template

$ cd ~/chef-repo/cookbooks/databag-test/templates
$ vi databag_test.erb

Username: <%= @myuser %>
Password: <%= @mypass %>

Copy your “key” to the node

$ scp ~/.chef/encrypted_data_bag_secret root@somenode:/etc/chef/

Add the recipe to a node and run chef-client

$ knife node run_list add somenode “recipe[databag-test]”
$ knife ssh “name:somenode” -x root “chef-client”

Verify the contents of the new file created at /tmp/databag

$ knife ssh “name:somenode” -x root “cat /tmp/databag”

Username: luigi
Password: yahoo


2 thoughts on “Chef – Encrypted Data-bags example

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s