Decrypt Chef encrypted data bag without Knife
08 Mar 2016 in Infrastructure
I found myself in the strange situation where I had an encrypted data bag and the secret key but no way to decrypt it without my friendly operations coworkers.
This script solved all my issues, writing the decrypted data to stdout.
ruby
require 'chef/encrypted_data_bag_item'require 'json'keyfile = "./secret_environment.key"encrypted_path = "./my-secret-file.json"secret = Chef::EncryptedDataBagItem.load_secret(keyfile)encrypted_data = JSON.parse(File.read(encrypted_path))plain_data = Chef::EncryptedDataBagItem.new(encrypted_data, secret).to_hashputs JSON.generate(plain_data)
Make sure to change keyfile
and encrypted_path
to match your files.
Invoke the script using Chef's built in Ruby to make sure that the Chef gem is available
bash
/opt/chefdk/embedded/bin/ruby script.rb > decrypted.json