encryptionchef-infrachef-recipechef-soloconsul

Chef complaining while decrypting data bag value


I am trying to use encrypted data bag in recipe as following:

  secret = Chef::EncryptedDataBagItem.load_secret("/etc/chef/encrypted_data_bag_secret")
  encryptkey = Chef::EncryptedDataBagItem.load("tokens", "encryptkey", secret)

My data bag looks as below:

{
  "id": "encryptkey",
  "encrypt": "FjJyopVcfoJNIsYk2xDBjA=="
}

However, I keep getting the below error:

   ERROR: Error decrypting data bag value: 'bad decrypt'. Most likely the provided key is incorrect

Solution

  • The issue may be because of \n or \r character. Please follow the below steps :

    1. creating secret $openssl rand -base64 512 | tr -d '\r\n' > <secret-file>

    2. upload the data item using $knife data bag from file <data-bag> </path/to/data-bag-item.json> --secret-file <secret-file>

    3. get the data bag item from chef-server $knife data bag show <data-bag> <data-bag-item-id> which will return encrypted data in the below format :

    id: mysql
    pass:
    cipher:         aes-256-cbc
    encrypted_data: JZtwXpuq4Hf5ICcepJ1PGQohIyqjNX6JBc2DGpnL2WApzjAUG9SkSdv75TfKSjX4
    iv:             VYY2qx9b4r3j0qZ7+RkKHg==
    version:        1
    user:
    cipher:         aes-256-cbc
    encrypted_data: 10BVoNb/plkvkrzVdybPgFFII5GThZ3Op9LNkwVeKpA=
    iv:             uIqKHZ9skJlN2gpJoml6rQ==
    version:        1
    
    1. use --secret-file arg while decrypting the data from chef-server $knife data bag show <data-bag> <data-bag-item-id> --secret-file <secret-file>
    2. In recipe, use the below syntex:
    data = data_bag_item(:<data-bag>, '<data-bag-id>', IO.read(Chef::Config[:encrypted_data_bag_secret]))
    log "result1: #{data['id']}"
    log "result2: #{data['user']}"
    
    1. to run the recipe on node, move the secret-file to /etc/chef/ location of node by using scp command. Don't copy/paste the key. once the file is available on the node, rename it to 'encrypted_data_bag_secret'.
    $mv /etc/chef/secret /etc/chef/encrypted_data_bag_secret
    
    1. If 'secret' is not specified, the chef-client will look for a secret at the path specified by the encrypted_data_bag_secret setting in the client.rb file.by default it's /etc/chef/encrypted_data_bag_secret.

    Hope this will helpful for you.