I am trying to use encrypted data bag in recipe as following:
secret = Chef::EncryptedDataBagItem.load_secret("/etc/chef/encrypted_data_bag_secret")
encryptkey = Chef::EncryptedDataBagItem.load("tokens", "encryptkey", secret)
My data bag looks as below:
{
"id": "encryptkey",
"encrypt": "FjJyopVcfoJNIsYk2xDBjA=="
}
However, I keep getting the below error:
ERROR: Error decrypting data bag value: 'bad decrypt'. Most likely the provided key is incorrect
The issue may be because of \n or \r character. Please follow the below steps :
creating secret
$openssl rand -base64 512 | tr -d '\r\n' > <secret-file>
upload the data item using
$knife data bag from file <data-bag> </path/to/data-bag-item.json> --secret-file <secret-file>
get the data bag item from chef-server
$knife data bag show <data-bag> <data-bag-item-id>
which will return encrypted data in the below format :
id: mysql
pass:
cipher: aes-256-cbc
encrypted_data: JZtwXpuq4Hf5ICcepJ1PGQohIyqjNX6JBc2DGpnL2WApzjAUG9SkSdv75TfKSjX4
iv: VYY2qx9b4r3j0qZ7+RkKHg==
version: 1
user:
cipher: aes-256-cbc
encrypted_data: 10BVoNb/plkvkrzVdybPgFFII5GThZ3Op9LNkwVeKpA=
iv: uIqKHZ9skJlN2gpJoml6rQ==
version: 1
$knife data bag show <data-bag> <data-bag-item-id> --secret-file <secret-file>
data = data_bag_item(:<data-bag>, '<data-bag-id>', IO.read(Chef::Config[:encrypted_data_bag_secret]))
log "result1: #{data['id']}"
log "result2: #{data['user']}"
$mv /etc/chef/secret /etc/chef/encrypted_data_bag_secret
Hope this will helpful for you.