Information Technology Reference
In-Depth Information
$
knife vault create passwords mysql_root \
--json data_bags/passwords/mysql_root.json --search "*:*" \
--admins "admin" --mode client
You must specify users or nodes that have valid
client keys
using the
--search
and
--ad-
mins
parameters. We have to use both in this example because we didn't set up the
admin
user to have a valid client key. If you run
knife client list
, the
admin
user isn't present.
When you are using Chef Server, you must use the option
--mode client
.
The command line options for
knife vault
are a little different than the options for
chef
The most important takeaway you should get from this example is that
chef-vault
can en-
crypt data only if Chef Server has valid
client
keys. This can be hard to configure in a
chef-
zero
setup. What we've done so far in this section is just enough to get
chef-vault
working
with
chef-zero
in order to demo.
So is our data bag encrypted? Let's perform a check using
knife data bag show
, similar to
what we did in the previous section on encrypted data bags:
$
knife data bag show passwords mysql_root
id: mysql_root
password:
cipher: aes-256-cbc
encrypted_data: K+PZ4zemMt2Hp7FTgTTHxGa1bWez1RqJbYGUNSJIgLDLu8cBlr9Uuu+gL9hT
AH9jtIRms9BEjHXVn63SEzHMZQ==
iv: //KVXQRwdu81zOUXaSAC0Q==
version: 1
Looks encrypted to us!
Run
knife vault show
as follows to display the decrypted data bag content:
$
knife vault show passwords mysql_root --mode client
id: mysql_root
password: This is a very secure password