How do encrypted data bags work exactly

[onknows]

The readme has some info on encrypted data bags but it still not clear to me how they can be used.

I created a file config similar to

{
      "id": "_wildcard",
      "credentials": {
        "default_admin": {
          "username": "admin",
          "password": "****"
        },
        "updated_admin": {
          "username": "admin",
          "password": "****"
        },
      },
      "license": {
        "file": "base64d license file"
      }
    }

Then when I run the command

ostraaten@kore:/media/Data/WCs/ok-chef/uw/trunk$ knife data bag create nexus _wildcard -c config --secret-file /home/ostraaten/encrypted_data_bag_secret 
 ERROR: You have invalid ruby syntax in your config file /media/Data/WCs/ok-chef/uw/trunk/config
     /media/Data/WCs/ok-chef/uw/trunk/config:2: syntax error, unexpected ':', expecting =>
      "id": "_wildcard",
       ^
/media/Data/WCs/ok-chef/uw/trunk/config:2: syntax error, unexpected ',', expecting end-of-input

     # /media/Data/WCs/ok-chef/uw/trunk/config
  1: {
  2:       "id": "_wildcard",
  3:       "credentials": {

So the command expects Ruby but the README uses Json.

[onknows]

It seems it is also not valid json. What is it actually?

2.1.1 :003 > JSON.parse(File.read('config'))
JSON::ParserError: 757: unexpected token at '{
      "id": "_wildcard",
      "credentials": {
        "default_admin": {

[onknows]

It is json but not valid, there is one , to many

This thing only works on a Chef server it seems

ostraaten@kore:/media/Data/WCs/ok-chef/uw/trunk$ knife data bag create nexus _wildcard -c    config2 --secret-file /home/ostraaten/encrypted_data_bag_secret 
ERROR: Your private key could not be loaded from /etc/chef/client.pem
Check your configuration file and ensure that your private key is readable

Can encryped data bags be used when using hosted chef?

[fishnix]

@ostraaten seems you have a few issues going on.

Your data bag is not the same as a knife config file which is what knife -c config is doing and you're getting an error about the private key because the client_key attribute doesn't exist in that file (because its not a knife config).

Here is an example of a knife config (ie. knife.rb)

current_dir = File.dirname(__FILE__)
log_level                 :info
log_location            STDOUT
node_name            "client_name"
client_key               "#{ENV['HOME']}/.chef/client.pem"
validation_client_name   "chef-validator"
validation_key            "#{ENV['HOME']}/.chef/chef-validator.pem"
chef_server_url          "https://api.opscode.com/organizations/yourorgname"
cache_type               'BasicFile'
cache_options( :path => "#{ENV['HOME']}/.chef/checksums" )
cookbook_path            ["#{current_dir}/../cookbooks",
                          "./cookbooks"]

cookbook_copyright "Mr. Cookbook"
cookbook_email     "[email protected]"
cookbook_license   "apachev2"

Encrypted data bags can definitely be used with hosted chef. What I tend to do is use the knife solo data bag plugin to create my encrypted data bags:

export EDITOR=vi
cd chef-repo
knife solo data bag create foo bar --secret-file=/path/to/secret --data-bag-path=data_bags 
knife data bag create foo -c knife_config.rb
knife data bag from file foo/bar.json -c knife_config.rb

This will create a data bag item in data_bags/foo/bar.json encrypted with the file /path/to/secret and then you load that into hosted Chef.

This is obviously not necessary, you can just:

export EDITOR=vi
knife data bag create foo -c knife_config.rb
knife data bag create foo bar -c knife_config.rb --secret-file=secret

but I like to load data bags from a file.