This repository has been archived by the owner on Mar 6, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6
Examples: CHEF Secrets Management
Daniel Linsley edited this page May 17, 2017
·
6 revisions
The following examples depend on the Chef Plugin for vRealize Orchestrator
Note: This is already implemented by the Chef Plugin for vRO by using a single secret per org. If you have multiple secrets per org for data bags this is an alternative approach.
V1 encrypted data bags can be decrypted using methods:
var databagName = "myDatabag";
var itemName = "secrets";
var secret = "tHeDaTaBaGsEcReT";
var hashedSecretB64 = CryptoDigest.sha256(secret);
//chefHost is a vRO Chef Plugin CHEF:ChefHost object
var itemJSON = chefHost.executeGet("/data/"+databagName+"/"+itemName);
//item is a JSON object of one or more attributes
var item = JSON.parse(itemJSON);
for (var key in item) {
System.log("Attribute Name: "+key);
if (item[key].cipher != null) {
//databag item is encrypted
if (item[key].version == 1) {
var clearValueB64 = CryptoEncryption.aesDecrypt(item[key].encrypted_data, hashedSecretB64, item[key].iv);
var clearValue = CryptoEncoding.base64Decode(clearValueB64);
System.log(clearValue);
} else {
System.warn("Sample only supports V1 encryption");
}
} else {
//databag item is not encrypted
var clearValue = item[key];
System.log(clearValue);
}
}
Chef Vault encrypts a random common secret per client. It takes advantage of the RSA key pairs created for each Chef client.
The Chef Vault secret can be accessed using methods:
var clientName = "chefUser"; //our client id
var myPrivatePem = ""; //our private PEM
var vaultName = "secrets"; //data bag name
//A Chef Vault consists of two different data bag items:
// itemName a regular encrypted databag item
// itemName+"_keys" a cleartext databag that holds RSA encrypted keys of each client to the "itemName" item
var itemName = "passwords"; //data bag item name
var itemNameKeys = itemName+"_keys";
//Get our key to the vault
//chefHost is a vRO Chef Plugin CHEF:ChefHost object
var itemJSON = chefHost.executeGet("/data/"+databagName+"/"+itemNameKeys);
//item is a JSON object of one or more attributes
var item = JSON.parse(itemJSON);
var myEncryptedSecret = item[clientName];
//secretB64 is 32 random bytes that were generated when the vault was created or refreshed.
// no need to decode it from Base64
var secretB64 = CryptoRSA.decrypt(myPrivatePem, myEncryptedSecret);
var hashedSecretB64 = CryptoDigest.sha256Base64(secretB64);
Then you can decrypt the respective data bag using hashedSecretB64