厨师解密数据袋和密钥检索

本文介绍了厨师解密数据袋和密钥检索的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在使用加密的数据包来加密一个ssh密钥，并通过Chef进行解密。数据包的ID为pwind_ssh_rsa_pub_cred，但我真正想要的是ssh密钥的未加密数据。我想然后拿钥匙并附加到一个文件，但是我目前的代码正在遇到一些问题。使用静态值，以下代码可以正常工作。另外，对于decryptpted_ssh的类型，我感到很困惑。

ruby​​_block获取证书做块do hadoop_key = Chef :: EncryptedDataBagItem.load_secret（/ home / ec2-user / project_data_bag_key） decryptpted_ssh = Chef :: EncryptedDataBagItem.load（pwind_keys，pwind_ssh_rsa_pub_credentials，hadoop_key） Chef :: Resource :: RubyBlock.send（：include，Chef :: Mixin :: ShellOut） command =su - 'root'-c'cd / home / ec2-user; cd。 ssh; echo＃{decryptpted_ssh}>> .authorized_keys' shell（command） end end

应该做什么修改以使此ssh密钥解密并从加密的数据包中取出？任何建议将不胜感激！

解决方案

您需要从解密的数据库项目中选择一个元素。

完整示例：

创建密钥和数据库项目

$ openssl rand -base64 512 | tr -d'\r\\\'> / tmp / encrypted_data_bag_secret $刀数据袋创建mydatabag secretstuff --secret-file / tmp / encrypted_data_bag_secret -z

内容：

{id ：secretstuff，firstsecret：必须保密，secondsecret：也很秘密} pre>

验证：

$刀数据袋显示mydatabag secretstuff -z 警告：检测到加密数据包，但没有为解码提供秘密。显示加密数据。 firstsecret：密码：aes-256-cbc encrypted_data：VafoT8Jc0lp7o4erCxz0WBrJYXjK6j + sJ + WGKJftX4BVF391rA1zWyHpToF0 qvhn iv：MhG09xFcwFAqX / IA3BusMg == 版本：1 id：secretstuff secondsecret：密码：aes-256-cbc encrypted_data：Epj + 2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk / pd58OPGQgI UJ2J iv：66AcYpoF4xw / rnYfPegPLw == 版本：1

cookbooks / test / recipes / test.rb

decryptpted = data_bag_item（'mydatabag '，'secretstuff'，IO.read（'/ tmp / encrypted_data_bag_secret'）） logfirstsecret：＃{decryptpted ['firstsecret']} logsecondsecret：＃{decryptpted ['secondsecret ']}

执行配方

＃chef-client -z -o'recipe [test :: test]' ... 食谱：test :: te st * log [firstsecret：must keep secret] action write * log [secondsecret：also very secret] action write

I am using an encrypted data bag to encrypt an ssh key and decrypted it via Chef. The data bag had an id of pwind_ssh_rsa_pub_cred, but what I really want is the unencrypted data for the ssh key. I want to then take the key and append it to a file, but the code that I have currently is running into some issues. With static values, the below code works. Additionally, I am a big confused as to what the type is of "decrypted_ssh".

ruby_block "obtainCredentials" do block do hadoop_key = Chef::EncryptedDataBagItem.load_secret("/home/ec2-user/project_data_bag_key") decrypted_ssh = Chef::EncryptedDataBagItem.load("pwind_keys", "pwind_ssh_rsa_pub_credentials", hadoop_key) Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) command = "su - 'root' -c 'cd /home/ec2-user; cd .ssh; echo #{decrypted_ssh} >> .authorized_keys'" shell(command) end end

What modifications should be done to get this ssh key decrypted and out of the encrypted data bag? Any suggestions would be much appreciated!

解决方案

You need to select an element from the decrypted databag item.

Complete example:

Create key and databag item:

$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret $ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z

Content:

{ "id": "secretstuff", "firstsecret": "must remain secret", "secondsecret": "also very secret" }

Verify:

$ knife data bag show mydatabag secretstuff -z WARNING: Encrypted data bag detected, but no secret provided for decoding. Displaying encrypted data. firstsecret: cipher: aes-256-cbc encrypted_data: VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0 qvhn iv: MhG09xFcwFAqX/IA3BusMg== version: 1 id: secretstuff secondsecret: cipher: aes-256-cbc encrypted_data: Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI UJ2J iv: 66AcYpoF4xw/rnYfPegPLw== version: 1

cookbooks/test/recipes/test.rb

decrypted = data_bag_item('mydatabag', 'secretstuff', IO.read('/tmp/encrypted_data_bag_secret')) log "firstsecret: #{decrypted['firstsecret']}" log "secondsecret: #{decrypted['secondsecret']}"

Execute recipe

# chef-client -z -o 'recipe[test::test]' ... Recipe: test::test * log[firstsecret: must remain secret] action write * log[secondsecret: also very secret] action write