Information Technology Reference
In-Depth Information
Create the data bag using the following command line:
$
knife data bag create api_keys
When data bag items are encrypted, use the
--secret-file
command line option to pass in
the shared key. Create the encrypted data bag item
api_keys
by using the
payment.json
file
that we just created, with the following:
$
knife data bag from file api_keys payment.json \
--secret-file encrypted_data_bag_secretUpdated data_bag_item[api_keys::payment]
So is the data item encrypted on Chef Server? Let's see. Try using the
knife data bag
show
command, but don't pass the shared key:
$
knife data bag show api_keys payment
api_key:
cipher: aes-256-cbc
encrypted_data: 25wUo0zKMqRAlMm3bGVch+0VAyL/IQj6/oi/K2CyYWWemP5akQo4pldal9SP
TjkFNmLH5mO8uWi9jn61UrvQdA==
iv: jU1uFntBuH8b1pwms09nkA==
version: 1
id: payment
Looks encrypted, doesn't it? You don't see our plain-text
api_key
anywhere in the output.
The only thing that is plain text is the
id:
. The
id:
field cannot be encrypted, because the
server uses this field to index and search for the associated encrypted data.
NOTE
It's worth pointing out that you lose the ability to search for data within encrypted data
bags. A data bag can be searchable or secure, but not both at the same time.
If you want to decrypt the item data, just use the
--secret-file
parameter as follows. Now
the data bag item is shown in plain text:
