我正在使用加密数据包来加密 ssh key 并通过 Chef 对其进行解密。数据包的 id 为 pwind_ssh_rsa_pub_cred,但我真正想要的是 ssh key 的未加密数据。然后我想获取 key 并将其附加到文件中,但我当前拥有的代码遇到了一些问题。对于静态值,下面的代码可以工作。此外,我对“decrypted_ssh”的类型很困惑。
ruby_block "obtainCredentials" do
block do
hadoop_key = Chef::EncryptedDataBagItem.load_secret("/home/ec2-user/project_data_bag_key")
decrypted_ssh = Chef::EncryptedDataBagItem.load("pwind_keys", "pwind_ssh_rsa_pub_credentials", hadoop_key)
Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut)
command = "su - 'root' -c 'cd /home/ec2-user; cd .ssh; echo #{decrypted_ssh} >> .authorized_keys'"
shell(command)
end
end
应该进行哪些修改才能解密此 ssh key 并将其从加密数据包中取出?任何建议将不胜感激!
最佳答案
您需要从解密的数据包项中选择一个元素。
完整示例:
创建 key 和数据包项目:
$ openssl rand -base64 512 | tr -d '\r\n' > /tmp/encrypted_data_bag_secret
$ knife data bag create mydatabag secretstuff --secret-file /tmp/encrypted_data_bag_secret -z
内容:
{
"id": "secretstuff",
"firstsecret": "must remain secret",
"secondsecret": "also very secret"
}
验证:
$ knife data bag show mydatabag secretstuff -z
WARNING: Encrypted data bag detected, but no secret provided for decoding. Displaying encrypted data.
firstsecret:
cipher: aes-256-cbc
encrypted_data: VafoT8Jc0lp7o4erCxz0WBrJYXjK6j+sJ+WGKJftX4BVF391rA1zWyHpToF0
qvhn
iv: MhG09xFcwFAqX/IA3BusMg==
version: 1
id: secretstuff
secondsecret:
cipher: aes-256-cbc
encrypted_data: Epj+2DuMOsf5MbDCOHEep7S12F6Z0kZ5yMuPv4a3Cr8dcQWCk/pd58OPGQgI
UJ2J
iv: 66AcYpoF4xw/rnYfPegPLw==
version: 1
cookbooks/test/recipes/test.rb
decrypted = data_bag_item('mydatabag', 'secretstuff', IO.read('/tmp/encrypted_data_bag_secret'))
log "firstsecret: #{decrypted['firstsecret']}"
log "secondsecret: #{decrypted['secondsecret']}"
执行配方
# chef-client -z -o 'recipe[test::test]'
...
Recipe: test::test
* log[firstsecret: must remain secret] action write
* log[secondsecret: also very secret] action write
关于encryption - Chef解密数据包并找回 key ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/34057858/