Provides a helper for decrypting databag items using the rake encrypt_databag task
encrypted_strings rubygem. Installed by default recipe
This is a proof of concept for encrypting databag items. It relies on a custom rake task available here:
The rake task looks for a databag called ‘passwords`. The items in the passwords databag are in the following format:
{“id”:“somepassword”, “data”:“mysupersecretpassword”}
Running ‘rake encrypt_databag` will do the following
* read data_bags/passwords/somepassword.json * Encrypt the ‘data` value with the passphrase in the rake task file (default: I encrypt with this) * Create a new file `data_bags/passwords/somepassword_crypted.json` * Add the newly crypted item to the passwords databag
To access the data in a recipe:
include_recipe “databag_decrypt” crypted_password = search(:passwords, “id:somepassword”).first
decrypted_password = item_decrypt(crypted_password) # do something with the decrypted password # Maybe write it to a file somewhere?
The data is encrypted with a symmetric algorithim so you’ll need a password to decrypt it. You can define how to get the password via the following attributes:
node[:passphrase_location] node[:passphrase_type]
If ‘passphrase_type` is `filepath` then `passphrase_location` should be the path to a file containing the passphrase. If `passphrase_type` is `url` then `passphrase_location` should be a url that will return a single passphrase in text/plain format.
Getting the file on the machine or putting it somewhere on the network to read is an exercise up to the user.