厨师解密数据包和密钥检索

Question

我正在使用加密的数据包加密ssh密钥并通过厨师进行解密。数据包的id为pwind_ssh_rsa_pub_cred，但我真正想要的是ssh密钥的未加密数据。然后我想要把钥匙附加到一个文件中，但是我目前的代码遇到了一些问题。使用静态值，下面的代码工作。另外，对于“decrypted_ssh”是什么类型，我感到很困惑。

ruby_block "obtainCredentials" do 
    block do 
     hadoop_key = Chef::EncryptedDataBagItem.load_secret("/home/ec2-user/project_data_bag_key") 
     decrypted_ssh = Chef::EncryptedDataBagItem.load("pwind_keys", "pwind_ssh_rsa_pub_credentials", hadoop_key) 
     Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut) 
     command = "su - 'root' -c 'cd /home/ec2-user; cd .ssh; echo #{decrypted_ssh} >> .authorized_keys'" 
     shell(command) 
    end 
end 

需要做什么样的修改才能将ssh密钥解密并从加密的数据包中解脱出来？我们欢迎所有的建议！

Answer 1

您需要从解密的数据库项目中选择一个元素。

完整的示例：

创建密钥和databag项目：

$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret 

$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z 

内容：

{ 
    "id": "secretstuff", 
    "firstsecret": "must remain secret", 
    "secondsecret": "also very secret" 
} 

验证：

$ knife data bag show mydatabag secretstuff -z 
WARNING: Encrypted data bag detected, but no secret provided for decoding. Displaying encrypted data. 
firstsecret: 
    cipher:   aes-256-cbc 
    encrypted_data: VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0 
    qvhn 

    iv:    MhG09xFcwFAqX/IA3BusMg== 

    version:  1 
id:   secretstuff 
secondsecret: 
    cipher:   aes-256-cbc 
    encrypted_data: Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI 
    UJ2J 

    iv:    66AcYpoF4xw/rnYfPegPLw== 

    version:  1 

食谱/测试/食谱/ test.rb

decrypted = data_bag_item('mydatabag', 'secretstuff', IO.read('/tmp/encrypted_data_bag_secret')) 
log "firstsecret: #{decrypted['firstsecret']}" 
log "secondsecret: #{decrypted['secondsecret']}" 

执行食谱

# chef-client -z -o 'recipe[test::test]' 
... 
Recipe: test::test 
    * log[firstsecret: must remain secret] action write 

    * log[secondsecret: also very secret] action write