Encryption 加密的厨师数据包json文件，如何解密和显示内容？_Encryption_Chef Infra_Databags

Encryption 加密的厨师数据包json文件，如何解密和显示内容？

encryption chef-infra

Encryption 加密的厨师数据包json文件，如何解密和显示内容？,encryption,chef-infra,databags,Encryption,Chef Infra,Databags,json文件中有加密的数据包，其中有些值需要更改。我需要运行一些类似于 $ knife data bag from file show --secret-file path/to/secret DATABAGNAME --config path/to/knife.rb 但此命令给出错误：在当前目录或“data\u bags/show/ewe jenkins”中找不到或打开文件“DATABAGNAME”。所以很明显，这个命令并不完全正确。我需要你帮我弄清楚语法我需要一个可以从chef repo

json文件中有加密的数据包，其中有些值需要更改。我需要运行一些类似于

$ knife data bag from file show --secret-file path/to/secret DATABAGNAME --config path/to/knife.rb

但此命令给出错误：在当前目录或“data\u bags/show/ewe jenkins”中找不到或打开文件“DATABAGNAME”。所以很明显，这个命令并不完全正确。我需要你帮我弄清楚语法

我需要一个可以从chef repo或data_bags目录运行的命令，该命令允许我查看json文件data_bags的未加密值。最终，我想更改一些值，但获取未加密的值将是一个很好的开始：）谢谢

我认为您混淆了文件中的

刀数据包显示

和

刀数据包

命令。前者用于显示来自服务器的数据，后者用于上传数据。这两个文件都在命令行上。

既然您讨论的是本地json文件，我假设您使用的是chef zero/local模式。json文件确实可以加密，内容可以用刀子解密

完整示例：

创建密钥和数据包项：

$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret

$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z

{
  "id": "secretstuff",
  "firstsecret": "must remain secret",
  "secondsecret": "also very secret"
}

# cat data_bags/mydatabag/secretstuff.json 
{
  "id": "secretstuff",
  "firstsecret": {
    "encrypted_data": "VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0\nqvhn\n",
    "iv": "MhG09xFcwFAqX/IA3BusMg==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  },
  "secondsecret": {
    "encrypted_data": "Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI\nUJ2J\n",
    "iv": "66AcYpoF4xw/rnYfPegPLw==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  }
}

# knife data bag show mydatabag secretstuff -z --secret-file /tmp/encrypted_data_bag_secret
Encrypted data bag detected, decrypting with provided secret.
firstsecret:  must remain secret
id:           secretstuff
secondsecret: also very secret

输入以下内容：

$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret

$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z

{
  "id": "secretstuff",
  "firstsecret": "must remain secret",
  "secondsecret": "also very secret"
}

# cat data_bags/mydatabag/secretstuff.json 
{
  "id": "secretstuff",
  "firstsecret": {
    "encrypted_data": "VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0\nqvhn\n",
    "iv": "MhG09xFcwFAqX/IA3BusMg==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  },
  "secondsecret": {
    "encrypted_data": "Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI\nUJ2J\n",
    "iv": "66AcYpoF4xw/rnYfPegPLw==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  }
}

# knife data bag show mydatabag secretstuff -z --secret-file /tmp/encrypted_data_bag_secret
Encrypted data bag detected, decrypting with provided secret.
firstsecret:  must remain secret
id:           secretstuff
secondsecret: also very secret

json文件确实是加密的：

$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret

$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z

{
  "id": "secretstuff",
  "firstsecret": "must remain secret",
  "secondsecret": "also very secret"
}

# cat data_bags/mydatabag/secretstuff.json 
{
  "id": "secretstuff",
  "firstsecret": {
    "encrypted_data": "VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0\nqvhn\n",
    "iv": "MhG09xFcwFAqX/IA3BusMg==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  },
  "secondsecret": {
    "encrypted_data": "Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI\nUJ2J\n",
    "iv": "66AcYpoF4xw/rnYfPegPLw==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  }
}

# knife data bag show mydatabag secretstuff -z --secret-file /tmp/encrypted_data_bag_secret
Encrypted data bag detected, decrypting with provided secret.
firstsecret:  must remain secret
id:           secretstuff
secondsecret: also very secret

用小刀显示解密内容：

$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret

$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z

{
  "id": "secretstuff",
  "firstsecret": "must remain secret",
  "secondsecret": "also very secret"
}

# cat data_bags/mydatabag/secretstuff.json 
{
  "id": "secretstuff",
  "firstsecret": {
    "encrypted_data": "VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0\nqvhn\n",
    "iv": "MhG09xFcwFAqX/IA3BusMg==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  },
  "secondsecret": {
    "encrypted_data": "Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI\nUJ2J\n",
    "iv": "66AcYpoF4xw/rnYfPegPLw==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  }
}

# knife data bag show mydatabag secretstuff -z --secret-file /tmp/encrypted_data_bag_secret
Encrypted data bag detected, decrypting with provided secret.
firstsecret:  must remain secret
id:           secretstuff
secondsecret: also very secret

目标是查看本地json数据包的解密内容。你能告诉我正确的方向吗？本地内容总是已经解密了。加密包仅在Chef服务器上加密，而不是在本地加密。您可以使用

刀数据包show

和

--secret

或friends来显示服务器上解密的内容。“总是已经解密”我应该补充的是，这是在您使用标准工作流时。如果你用

knife-z

做了一些时髦的生意，你需要使用一个刀子插件，它可以进行本地加密操作，但Chef没有提供<代码>刀子数据包秀-z--秘密可能是你想要的？我逐渐意识到我们有一个不同寻常的设置，我们在github中处理文件，而不是直接与chef服务器一起工作。然后，github中的文件通过更改时触发的jenkins作业被拉入chef服务器。有一种避免编辑器步骤的方法：使用

$mkdir-p data\u bags/mydatabag/&&knice data bag from file my\u data\u bag/path/to/unencryptet\u data\u bag\u item.json-z--secret file/path/to/encrypted\u data\u bag\u secret

=>将创建该项到

data\u bags/mydatabag/secretstuff.json