Chef解密数据包并取回密钥
Chef Decryption of Data Bags and Retrieval of Key
我正在使用加密数据包来加密 ssh 密钥并通过 Chef 对其进行解密。数据包的 ID 为 pwind_ssh_rsa_pub_cred,但我真正想要的是 ssh 密钥的未加密数据。然后我想获取密钥并将其附加到文件中,但我目前拥有的代码是 运行 一些问题。对于静态值,以下代码有效。另外,我很困惑 "decrypted_ssh".
的类型是什么
ruby_block "obtainCredentials" do
block do
hadoop_key = Chef::EncryptedDataBagItem.load_secret("/home/ec2-user/project_data_bag_key")
decrypted_ssh = Chef::EncryptedDataBagItem.load("pwind_keys", "pwind_ssh_rsa_pub_credentials", hadoop_key)
Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut)
command = "su - 'root' -c 'cd /home/ec2-user; cd .ssh; echo #{decrypted_ssh} >> .authorized_keys'"
shell(command)
end
end
要使这个ssh密钥解密并从加密的数据包中取出,应该做哪些修改?任何建议将不胜感激!
您需要 select 解密数据包项目中的一个元素。
完整示例:
创建密钥和数据包项:
$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret
$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z
内容:
{
"id": "secretstuff",
"firstsecret": "must remain secret",
"secondsecret": "also very secret"
}
验证:
$ knife data bag show mydatabag secretstuff -z
WARNING: Encrypted data bag detected, but no secret provided for decoding. Displaying encrypted data.
firstsecret:
cipher: aes-256-cbc
encrypted_data: VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0
qvhn
iv: MhG09xFcwFAqX/IA3BusMg==
version: 1
id: secretstuff
secondsecret:
cipher: aes-256-cbc
encrypted_data: Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI
UJ2J
iv: 66AcYpoF4xw/rnYfPegPLw==
version: 1
cookbooks/test/recipes/test.rb
decrypted = data_bag_item('mydatabag', 'secretstuff', IO.read('/tmp/encrypted_data_bag_secret'))
log "firstsecret: #{decrypted['firstsecret']}"
log "secondsecret: #{decrypted['secondsecret']}"
执行配方
# chef-client -z -o 'recipe[test::test]'
...
Recipe: test::test
* log[firstsecret: must remain secret] action write
* log[secondsecret: also very secret] action write
我正在使用加密数据包来加密 ssh 密钥并通过 Chef 对其进行解密。数据包的 ID 为 pwind_ssh_rsa_pub_cred,但我真正想要的是 ssh 密钥的未加密数据。然后我想获取密钥并将其附加到文件中,但我目前拥有的代码是 运行 一些问题。对于静态值,以下代码有效。另外,我很困惑 "decrypted_ssh".
的类型是什么ruby_block "obtainCredentials" do
block do
hadoop_key = Chef::EncryptedDataBagItem.load_secret("/home/ec2-user/project_data_bag_key")
decrypted_ssh = Chef::EncryptedDataBagItem.load("pwind_keys", "pwind_ssh_rsa_pub_credentials", hadoop_key)
Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut)
command = "su - 'root' -c 'cd /home/ec2-user; cd .ssh; echo #{decrypted_ssh} >> .authorized_keys'"
shell(command)
end
end
要使这个ssh密钥解密并从加密的数据包中取出,应该做哪些修改?任何建议将不胜感激!
您需要 select 解密数据包项目中的一个元素。
完整示例:
创建密钥和数据包项:
$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret
$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z
内容:
{
"id": "secretstuff",
"firstsecret": "must remain secret",
"secondsecret": "also very secret"
}
验证:
$ knife data bag show mydatabag secretstuff -z
WARNING: Encrypted data bag detected, but no secret provided for decoding. Displaying encrypted data.
firstsecret:
cipher: aes-256-cbc
encrypted_data: VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0
qvhn
iv: MhG09xFcwFAqX/IA3BusMg==
version: 1
id: secretstuff
secondsecret:
cipher: aes-256-cbc
encrypted_data: Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI
UJ2J
iv: 66AcYpoF4xw/rnYfPegPLw==
version: 1
cookbooks/test/recipes/test.rb
decrypted = data_bag_item('mydatabag', 'secretstuff', IO.read('/tmp/encrypted_data_bag_secret'))
log "firstsecret: #{decrypted['firstsecret']}"
log "secondsecret: #{decrypted['secondsecret']}"
执行配方
# chef-client -z -o 'recipe[test::test]'
...
Recipe: test::test
* log[firstsecret: must remain secret] action write
* log[secondsecret: also very secret] action write