我正在使用加密数据包加密ssh密钥并通过Chef解密。数据包的id为pwind_ssh_rsa_pub_cred,但我真正想要的是ssh密钥的未加密数据。我想然后拿出密钥并将其附加到一个文件,但我目前的代码遇到了一些问题。使用静态值,以下代码有效。另外,我对“decrypted_ssh”的类型感到困惑。
ruby_block "obtainCredentials" do
block do
hadoop_key = Chef::EncryptedDataBagItem.load_secret("/home/ec2-user/project_data_bag_key")
decrypted_ssh = Chef::EncryptedDataBagItem.load("pwind_keys", "pwind_ssh_rsa_pub_credentials", hadoop_key)
Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut)
command = "su - 'root' -c 'cd /home/ec2-user; cd .ssh; echo #{decrypted_ssh} >> .authorized_keys'"
shell(command)
end
end
应该做哪些修改才能将此ssh密钥解密并从加密数据包中解密出来?任何建议将不胜感激!
答案 0 :(得分:2)
您需要从解密的数据库项目中选择一个元素。
完整示例:
创建密钥和数据库项目:
$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret
$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z
内容:
{
"id": "secretstuff",
"firstsecret": "must remain secret",
"secondsecret": "also very secret"
}
验证
$ knife data bag show mydatabag secretstuff -z
WARNING: Encrypted data bag detected, but no secret provided for decoding. Displaying encrypted data.
firstsecret:
cipher: aes-256-cbc
encrypted_data: VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0
qvhn
iv: MhG09xFcwFAqX/IA3BusMg==
version: 1
id: secretstuff
secondsecret:
cipher: aes-256-cbc
encrypted_data: Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI
UJ2J
iv: 66AcYpoF4xw/rnYfPegPLw==
version: 1
<强>食谱/测试/食谱/ test.rb
decrypted = data_bag_item('mydatabag', 'secretstuff', IO.read('/tmp/encrypted_data_bag_secret'))
log "firstsecret: #{decrypted['firstsecret']}"
log "secondsecret: #{decrypted['secondsecret']}"
执行食谱
# chef-client -z -o 'recipe[test::test]'
...
Recipe: test::test
* log[firstsecret: must remain secret] action write
* log[secondsecret: also very secret] action write