Examples: CHEF Secrets Management

Encrypted Data Bags (V1)

The following examples depend on the Chef Plugin for vRealize Orchestrator

Note: This is already implemented by the Chef Plugin for vRO by using a single secret per org. If you have multiple secrets per org for data bags this is an alternative approach.

Decrypting a V1 Encrypted Data Bag

V1 encrypted data bags can be decrypted using methods:

• CryptoDigest.sha256
• CryptoEncryption.aesDecrypt
• CryptoEncoding.base64Decode

var databagName = "myDatabag";
var itemName = "secrets";
var secret = "tHeDaTaBaGsEcReT";
var hashedSecretB64 = CryptoDigest.sha256(secret);
//chefHost is a vRO Chef Plugin CHEF:ChefHost object
var itemJSON = chefHost.executeGet("/data/"+databagName+"/"+itemName);
//item is a JSON object of one or more attributes
var item = JSON.parse(itemJSON);

for (var key in item) {
    System.log("Attribute Name: "+key);
    if (item[key].cipher != null) {
        //databag item is encrypted
        if (item[key].version == 1) {
            var clearValueB64 = CryptoEncryption.aesDecrypt(item[key].encrypted_data, hashedSecretB64, item[key].iv);
            var clearValue = CryptoEncoding.base64Decode(clearValueB64);
            System.log(clearValue);
        } else {
            System.warn("Sample only supports V1 encryption");
        }
    } else {
        //databag item is not encrypted
        var clearValue = item[key];
        System.log(clearValue);
    }
}

Chef Vault

Chef Vault encrypts a random common secret per client. It takes advantage of the RSA key pairs created for each Chef client.

Getting the Chef Vault Secret for a Client

The Chef Vault secret can be accessed using methods:

• CryptoRSA.decrypt
• CryptoDigest.sha256Base64

var clientName = "chefUser"; //our client id
var myPrivatePem = ""; //our private PEM
var vaultName = "secrets";  //data bag name
//A Chef Vault consists of two different data bag items:
//    itemName a regular encrypted databag item
//    itemName+"_keys"   a cleartext databag that holds RSA encrypted keys of each client to the "itemName" item
var itemName = "passwords";  //data bag item name
var itemNameKeys = itemName+"_keys";

//Get our key to the vault
    //chefHost is a vRO Chef Plugin CHEF:ChefHost object
var itemJSON = chefHost.executeGet("/data/"+databagName+"/"+itemNameKeys);
//item is a JSON object of one or more attributes
var item = JSON.parse(itemJSON);

var myEncryptedSecret = item[clientName];
//secretB64 is 32 random bytes that were generated when the vault was created or refreshed.
//    no need to decode it from Base64
var secretB64 = CryptoRSA.decrypt(myPrivatePem, myEncryptedSecret);
var hashedSecretB64 = CryptoDigest.sha256Base64(secretB64);

Then you can decrypt the respective data bag using hashedSecretB64