廚師解密數據包和密鑰檢索

Question

我正在使用加密的數據包加密ssh密鑰並通過廚師進行解密。數據包的id爲pwind_ssh_rsa_pub_cred，但我真正想要的是ssh密鑰的未加密數據。然後我想要把鑰匙附加到一個文件中，但是我目前的代碼遇到了一些問題。使用靜態值，下面的代碼工作。另外，對於「decrypted_ssh」是什麼類型，我感到很困惑。

ruby_block "obtainCredentials" do 
    block do 
     hadoop_key = Chef::EncryptedDataBagItem.load_secret("/home/ec2-user/project_data_bag_key") 
     decrypted_ssh = Chef::EncryptedDataBagItem.load("pwind_keys", "pwind_ssh_rsa_pub_credentials", hadoop_key) 
     Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) 
     command = "su - 'root' -c 'cd /home/ec2-user; cd .ssh; echo #{decrypted_ssh} >> .authorized_keys'" 
     shell(command) 
    end 
end 

需要做什麼樣的修改才能將ssh密鑰解密並從加密的數據包中解脫出來？我們歡迎所有的建議！

Answer 1

您需要從解密的數據庫項目中選擇一個元素。

完整的示例：

創建密鑰和databag項目：

$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret 

$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z 

內容：

{ 
    "id": "secretstuff", 
    "firstsecret": "must remain secret", 
    "secondsecret": "also very secret" 
} 

驗證：

$ knife data bag show mydatabag secretstuff -z 
WARNING: Encrypted data bag detected, but no secret provided for decoding. Displaying encrypted data. 
firstsecret: 
    cipher:   aes-256-cbc 
    encrypted_data: VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0 
    qvhn 

    iv:    MhG09xFcwFAqX/IA3BusMg== 

    version:  1 
id:   secretstuff 
secondsecret: 
    cipher:   aes-256-cbc 
    encrypted_data: Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI 
    UJ2J 

    iv:    66AcYpoF4xw/rnYfPegPLw== 

    version:  1 

食譜/測試/食譜/ test.rb

decrypted = data_bag_item('mydatabag', 'secretstuff', IO.read('/tmp/encrypted_data_bag_secret')) 
log "firstsecret: #{decrypted['firstsecret']}" 
log "secondsecret: #{decrypted['secondsecret']}" 

執行食譜

# chef-client -z -o 'recipe[test::test]' 
... 
Recipe: test::test 
    * log[firstsecret: must remain secret] action write 

    * log[secondsecret: also very secret] action write