Thursday, June 27, 2019

Chef HOWTO: Encrypted Data Bags


Create a new encrypted data bag


1. Create a secret for the data bag

$ openssl rand -base64 1024 > db_secret_key.txt

2. Make an encrypted data bag:

$ export EDITOR=vim

$ knife data bag create BAG_NAME --secret-file db_secret_key.txt

Created data_bag[BAGNAME]

3. Create data bag entry and edit contents:

$ knife data bag create BAG_NAME ITEM_NAME --secret-file db_secret_key.txt

Data bag BAG_NAME already exists

Created data_bag_item[ITEM_NAME]

4. (optional) Download data bag as json:

knife download data_bags/BAG_NAME

5. (optional) Upload data bag from json file:

knife data bag from file BAG_NAME BAG_FILENAME.json

6. (optional) Access data bag from a recipe:

db_secret = Chef::EncryptedDataBagItem.load_secret('/path/to/db_secret_key.txt')

private_key_value = Chef::EncryptedDataBagIten.load('BAG_NAME', 'ITEM_NAME', db_secret)['ITEM_KEY']

### note: ITEM_KEY is often an Environment name

Tuesday, June 25, 2019

Super Easy Encryption w/ GPG

To import somebody's public key:


gpg --import your_friend.pub


To encrypt a text file for them:


gpg -a -se -r 'friend name in address book' FILENAME.txt


To list the keys (your friends') in your address book:


gpg --list-keys


To import a new friend's key:


gpg --import friend_key.pub


To generate a new private key for yourself:

gpg --full-generate-key
or
gpg --default-new-key-algo rsa4096 --gen-key