Class: Chef::EncryptedDataBagItem
- Defined in:
- lib/chef/encrypted_data_bag_item.rb
Overview
An EncryptedDataBagItem represents a read-only data bag item where all values, except for the value associated with the id key, have been encrypted.
EncrypedDataBagItem can be used in recipes to decrypt data bag item members.
Data bag item values are assumed to have been encrypted using the default symmetric encryption provided by Encryptor.encrypt where values are converted to YAML prior to encryption.
If the shared secret is not specified at initialization or load, then the contents of the file referred to in Chef::Config will be used as the secret. The default path is /etc/chef/encrypted_data_bag_secret
EncryptedDataBagItem is intended to provide a means to avoid storing data bag items in the clear on the Chef server. This provides some protection against a breach of the Chef server or of Chef server backup data. Because the secret must be stored in the clear on any node needing access to an EncryptedDataBagItem, this approach provides no protection of data bag items from actors with access to such nodes in the infrastructure.
Defined Under Namespace
Modules: Decryptor Classes: DecryptionFailure, Encryptor, UnsupportedCipher, UnsupportedEncryptedDataBagItemFormat
Constant Summary collapse
- DEFAULT_SECRET_FILE =
"/etc/chef/encrypted_data_bag_secret"- ALGORITHM =
'aes-256-cbc'
Class Method Summary collapse
- .encrypt_data_bag_item(plain_hash, secret) ⇒ Object
- .load(data_bag, name, secret = nil) ⇒ Object
- .load_secret(path = nil) ⇒ Object
Instance Method Summary collapse
- #[](key) ⇒ Object
- #[]=(key, value) ⇒ Object
-
#initialize(enc_hash, secret) ⇒ EncryptedDataBagItem
constructor
A new instance of EncryptedDataBagItem.
- #to_hash ⇒ Object
Constructor Details
#initialize(enc_hash, secret) ⇒ EncryptedDataBagItem
Returns a new instance of EncryptedDataBagItem.
260 261 262 263 |
# File 'lib/chef/encrypted_data_bag_item.rb', line 260 def initialize(enc_hash, secret) @enc_hash = enc_hash @secret = secret end |
Class Method Details
.encrypt_data_bag_item(plain_hash, secret) ⇒ Object
282 283 284 285 286 287 288 289 290 291 |
# File 'lib/chef/encrypted_data_bag_item.rb', line 282 def self.encrypt_data_bag_item(plain_hash, secret) plain_hash.inject({}) do |h, (key, val)| h[key] = if key != "id" Encryptor.new(val, secret).for_encrypted_item else val end h end end |
.load(data_bag, name, secret = nil) ⇒ Object
293 294 295 296 297 |
# File 'lib/chef/encrypted_data_bag_item.rb', line 293 def self.load(data_bag, name, secret = nil) raw_hash = Chef::DataBagItem.load(data_bag, name) secret = secret || self.load_secret self.new(raw_hash, secret) end |
.load_secret(path = nil) ⇒ Object
299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 |
# File 'lib/chef/encrypted_data_bag_item.rb', line 299 def self.load_secret(path=nil) path = path || Chef::Config[:encrypted_data_bag_secret] || DEFAULT_SECRET_FILE secret = case path when /^\w+:\/\// # We have a remote key begin Kernel.open(path).read.strip rescue Errno::ECONNREFUSED raise ArgumentError, "Remote key not available from '#{path}'" rescue OpenURI::HTTPError raise ArgumentError, "Remote key not found at '#{path}'" end else if !File.exists?(path) raise Errno::ENOENT, "file not found '#{path}'" end IO.read(path).strip end if secret.size < 1 raise ArgumentError, "invalid zero length secret in '#{path}'" end secret end |
Instance Method Details
#[](key) ⇒ Object
265 266 267 268 269 270 271 272 |
# File 'lib/chef/encrypted_data_bag_item.rb', line 265 def [](key) value = @enc_hash[key] if key == "id" || value.nil? value else Decryptor.for(value, @secret).for_decrypted_item end end |
#[]=(key, value) ⇒ Object
274 275 276 |
# File 'lib/chef/encrypted_data_bag_item.rb', line 274 def []=(key, value) raise ArgumentError, "assignment not supported for #{self.class}" end |
#to_hash ⇒ Object
278 279 280 |
# File 'lib/chef/encrypted_data_bag_item.rb', line 278 def to_hash @enc_hash.keys.inject({}) { |hash, key| hash[key] = self[key]; hash } end |