Encryption 加密的厨师数据包json文件,如何解密和显示内容?

Encryption 加密的厨师数据包json文件,如何解密和显示内容?,encryption,chef-infra,databags,Encryption,Chef Infra,Databags,json文件中有加密的数据包,其中有些值需要更改。我需要运行一些类似于 $ knife data bag from file show --secret-file path/to/secret DATABAGNAME --config path/to/knife.rb 但此命令给出错误:在当前目录或“data\u bags/show/ewe jenkins”中找不到或打开文件“DATABAGNAME”。所以很明显,这个命令并不完全正确。我需要你帮我弄清楚语法 我需要一个可以从chef repo

json文件中有加密的数据包,其中有些值需要更改。我需要运行一些类似于

$ knife data bag from file show --secret-file path/to/secret DATABAGNAME --config path/to/knife.rb
但此命令给出错误:在当前目录或“data\u bags/show/ewe jenkins”中找不到或打开文件“DATABAGNAME”。所以很明显,这个命令并不完全正确。我需要你帮我弄清楚语法


我需要一个可以从chef repo或data_bags目录运行的命令,该命令允许我查看json文件data_bags的未加密值。最终,我想更改一些值,但获取未加密的值将是一个很好的开始:)谢谢

我认为您混淆了文件中的
刀数据包显示
刀数据包
命令。前者用于显示来自服务器的数据,后者用于上传数据。这两个文件都在命令行上。

既然您讨论的是本地json文件,我假设您使用的是chef zero/local模式。json文件确实可以加密,内容可以用刀子解密

完整示例:

创建密钥和数据包项:

$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret

$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z
{
  "id": "secretstuff",
  "firstsecret": "must remain secret",
  "secondsecret": "also very secret"
}
# cat data_bags/mydatabag/secretstuff.json 
{
  "id": "secretstuff",
  "firstsecret": {
    "encrypted_data": "VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0\nqvhn\n",
    "iv": "MhG09xFcwFAqX/IA3BusMg==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  },
  "secondsecret": {
    "encrypted_data": "Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI\nUJ2J\n",
    "iv": "66AcYpoF4xw/rnYfPegPLw==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  }
}
# knife data bag show mydatabag secretstuff -z --secret-file /tmp/encrypted_data_bag_secret
Encrypted data bag detected, decrypting with provided secret.
firstsecret:  must remain secret
id:           secretstuff
secondsecret: also very secret
输入以下内容:

$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret

$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z
{
  "id": "secretstuff",
  "firstsecret": "must remain secret",
  "secondsecret": "also very secret"
}
# cat data_bags/mydatabag/secretstuff.json 
{
  "id": "secretstuff",
  "firstsecret": {
    "encrypted_data": "VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0\nqvhn\n",
    "iv": "MhG09xFcwFAqX/IA3BusMg==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  },
  "secondsecret": {
    "encrypted_data": "Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI\nUJ2J\n",
    "iv": "66AcYpoF4xw/rnYfPegPLw==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  }
}
# knife data bag show mydatabag secretstuff -z --secret-file /tmp/encrypted_data_bag_secret
Encrypted data bag detected, decrypting with provided secret.
firstsecret:  must remain secret
id:           secretstuff
secondsecret: also very secret
json文件确实是加密的:

$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret

$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z
{
  "id": "secretstuff",
  "firstsecret": "must remain secret",
  "secondsecret": "also very secret"
}
# cat data_bags/mydatabag/secretstuff.json 
{
  "id": "secretstuff",
  "firstsecret": {
    "encrypted_data": "VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0\nqvhn\n",
    "iv": "MhG09xFcwFAqX/IA3BusMg==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  },
  "secondsecret": {
    "encrypted_data": "Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI\nUJ2J\n",
    "iv": "66AcYpoF4xw/rnYfPegPLw==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  }
}
# knife data bag show mydatabag secretstuff -z --secret-file /tmp/encrypted_data_bag_secret
Encrypted data bag detected, decrypting with provided secret.
firstsecret:  must remain secret
id:           secretstuff
secondsecret: also very secret
用小刀显示解密内容:

$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret

$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z
{
  "id": "secretstuff",
  "firstsecret": "must remain secret",
  "secondsecret": "also very secret"
}
# cat data_bags/mydatabag/secretstuff.json 
{
  "id": "secretstuff",
  "firstsecret": {
    "encrypted_data": "VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0\nqvhn\n",
    "iv": "MhG09xFcwFAqX/IA3BusMg==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  },
  "secondsecret": {
    "encrypted_data": "Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI\nUJ2J\n",
    "iv": "66AcYpoF4xw/rnYfPegPLw==\n",
    "version": 1,
    "cipher": "aes-256-cbc"
  }
}
# knife data bag show mydatabag secretstuff -z --secret-file /tmp/encrypted_data_bag_secret
Encrypted data bag detected, decrypting with provided secret.
firstsecret:  must remain secret
id:           secretstuff
secondsecret: also very secret

目标是查看本地json数据包的解密内容。你能告诉我正确的方向吗?本地内容总是已经解密了。加密包仅在Chef服务器上加密,而不是在本地加密。您可以使用
刀数据包show
--secret
或friends来显示服务器上解密的内容。“总是已经解密”我应该补充的是,这是在您使用标准工作流时。如果你用
knife-z
做了一些时髦的生意,你需要使用一个刀子插件,它可以进行本地加密操作,但Chef没有提供<代码>刀子数据包秀-z--秘密可能是你想要的?我逐渐意识到我们有一个不同寻常的设置,我们在github中处理文件,而不是直接与chef服务器一起工作。然后,github中的文件通过更改时触发的jenkins作业被拉入chef服务器。有一种避免编辑器步骤的方法:使用
$mkdir-p data\u bags/mydatabag/&&knice data bag from file my\u data\u bag/path/to/unencryptet\u data\u bag\u item.json-z--secret file/path/to/encrypted\u data\u bag\u secret
=>将创建该项到
data\u bags/mydatabag/secretstuff.json