厨师解密数据袋和密钥检索 [英] Chef Decryption of Data Bags and Retrieval of Key
问题描述
我正在使用加密的数据包来加密一个ssh密钥,并通过Chef进行解密。数据包的ID为pwind_ssh_rsa_pub_cred,但我真正想要的是ssh密钥的未加密数据。我想然后拿钥匙并附加到一个文件,但是我目前的代码正在遇到一些问题。使用静态值,以下代码可以正常工作。另外,对于decryptpted_ssh的类型,我感到很困惑。
ruby_block获取证书做
块do
hadoop_key = Chef :: EncryptedDataBagItem.load_secret(/ home / ec2-user / project_data_bag_key)
decryptpted_ssh = Chef :: EncryptedDataBagItem.load(pwind_keys,pwind_ssh_rsa_pub_credentials,hadoop_key)
Chef :: Resource :: RubyBlock.send(:include,Chef :: Mixin :: ShellOut)
command =su - 'root'-c'cd / home / ec2-user; cd。 ssh; echo#{decryptpted_ssh}>> .authorized_keys'
shell(command)
end
end
应该做什么修改以使此ssh密钥解密并从加密的数据包中取出?任何建议将不胜感激!
您需要从解密的数据库项目中选择一个元素。
完整示例:
创建密钥和数据库项目
$ openssl rand -base64 512 | tr -d'\r\\\
'> / tmp / encrypted_data_bag_secret
$刀数据袋创建mydatabag secretstuff --secret-file / tmp / encrypted_data_bag_secret -z
内容:
{pre>
id :secretstuff,
firstsecret:必须保密,
secondsecret:也很秘密
}
验证:
$刀数据袋显示mydatabag secretstuff -z
警告:检测到加密数据包,但没有为解码提供秘密。显示加密数据。
firstsecret:
密码:aes-256-cbc
encrypted_data:VafoT8Jc0lp7o4erCxz0WBrJYXjK6j + sJ + WGKJftX4BVF391rA1zWyHpToF0
qvhn
iv:MhG09xFcwFAqX / IA3BusMg ==
版本:1
id:secretstuff
secondsecret:
密码:aes-256-cbc
encrypted_data:Epj + 2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk / pd58OPGQgI
UJ2J
iv:66AcYpoF4xw / rnYfPegPLw ==
版本:1
cookbooks / test / recipes / test.rb
decryptpted = data_bag_item('mydatabag ','secretstuff',IO.read('/ tmp / encrypted_data_bag_secret'))
logfirstsecret:#{decryptpted ['firstsecret']}
logsecondsecret:#{decryptpted ['secondsecret ']}
执行配方
#chef-client -z -o'recipe [test :: test]'
...
食谱:test :: te st
* log [firstsecret:must keep secret] action write
* log [secondsecret:also very secret] action write
I am using an encrypted data bag to encrypt an ssh key and decrypted it via Chef. The data bag had an id of pwind_ssh_rsa_pub_cred, but what I really want is the unencrypted data for the ssh key. I want to then take the key and append it to a file, but the code that I have currently is running into some issues. With static values, the below code works. Additionally, I am a big confused as to what the type is of "decrypted_ssh".
ruby_block "obtainCredentials" do block do hadoop_key = Chef::EncryptedDataBagItem.load_secret("/home/ec2-user/project_data_bag_key") decrypted_ssh = Chef::EncryptedDataBagItem.load("pwind_keys", "pwind_ssh_rsa_pub_credentials", hadoop_key) Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) command = "su - 'root' -c 'cd /home/ec2-user; cd .ssh; echo #{decrypted_ssh} >> .authorized_keys'" shell(command) end endWhat modifications should be done to get this ssh key decrypted and out of the encrypted data bag? Any suggestions would be much appreciated!
解决方案You need to select an element from the decrypted databag item.
Complete example:
Create key and databag item:
$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret $ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -zContent:
{ "id": "secretstuff", "firstsecret": "must remain secret", "secondsecret": "also very secret" }Verify:
$ knife data bag show mydatabag secretstuff -z WARNING: Encrypted data bag detected, but no secret provided for decoding. Displaying encrypted data. firstsecret: cipher: aes-256-cbc encrypted_data: VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0 qvhn iv: MhG09xFcwFAqX/IA3BusMg== version: 1 id: secretstuff secondsecret: cipher: aes-256-cbc encrypted_data: Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI UJ2J iv: 66AcYpoF4xw/rnYfPegPLw== version: 1cookbooks/test/recipes/test.rb
decrypted = data_bag_item('mydatabag', 'secretstuff', IO.read('/tmp/encrypted_data_bag_secret')) log "firstsecret: #{decrypted['firstsecret']}" log "secondsecret: #{decrypted['secondsecret']}"Execute recipe
# chef-client -z -o 'recipe[test::test]' ... Recipe: test::test * log[firstsecret: must remain secret] action write * log[secondsecret: also very secret] action write
这篇关于厨师解密数据袋和密钥检索的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
