Encrypt and Decrypt a Chef Data Bag Locally with Chef Zero

From Bonus Bits
Jump to: navigation, search


This article gives the steps to use Chef Zero locally to encrypt a Data Bag Item JSON.


Start Chef Zero

chef-zero -d

Create Data Bag on Chef Zero

We need a Data Bag on the Chef Zero instance to use. Basically it's just a folder.

knife data bag create ec2_databags

Upload and Encrypt Data Bag Item

Send Local unencrypted JSON to Chef Zero to encrypt

knife data bag from file ec2_databags /path/to/data_bags/ec2_databags/ec2_databag.json --secret-file /path/to/encrypted_data_bag_secret

Download Encrypted Data Bag Item (Option 1)

Now we pull the Data Bag Item from Chef Zero without decrypting it.

knife data bag show ec2_databags ec2_databag -Fj > ec2_databag_encrypted.json

Download Decrypted Data Bag Item (Option 2)

So now if we want to decrypt a Data Bag Item locally we simply upload to the Chef Zero instance the same as above and then use the --secret-file argument when downloading to obtain the decrypted version.

knife data bag show ec2_databags ec2_databag --secret-file /path/to/encrypted_data_bag_secret -Fj > ec2_databag_decrypted.json

Stop Chef Zero

Now unload the Chef Zero instance from memory. Unless we plan to use it more of course.

  1. Find PID
    ps -e | grep 'chef-zero -d'
  2. Kill PID
    kill -9 <pid>

Related Articles