Knife Commands

There are multiple commands to read, create and modify the encrypted attributes. All the commands will grant access privileges to the affected node by default (encrypted attributes are written in Node Attributes). But you will not be allowed to access them by default, so remember to give your own knife user privileges before creating or saving the attribute.

The ATTRIBUTE name must be specified using dots notation. For example, for node['encrypted']['attribute'], you must specify "encrypted.attribute" as knife argument. If the attribute key has a dot in its name, you must escape it. For example: "encrypted.attribute\.with\.dots".

Read the Chef Users Limitation caveat before trying to use any knife command.

Installing the Required Gem

You need to install the chef-encrypted-attributes gem before using this knife commands.

$ gem install chef-encrypted-attributes

knife.rb

Some configuration values can be set in your local knife.rb configuration file inside the knife[:encrypted_attributes] configuraiton space. For example:

ruby knife[:encrypted_attributes][:users] = '*' # allow access to all knife users

See the API Configuration section for more configuration values.

knife encrypted attribute show

Shows the decrypted attribute content.

$ knife encrypted attribute show NODE ATTRIBUTE (options)

For example:

$ knife encrypted attribute show ftp.example.com myapp.ftp_password

knife encrypted attribute create

Creates an encrypted attribute in a node. The attribute cannot already exist.

$ knife encrypted attribute create NODE ATTRIBUTE (options)

If the input is in JSON format (-i), you can create a JSON in quirk mode like false, 5 or "some string". You don’t need to create an Array or a Hash as the JSON standard forces.

For example:

$ export EDITOR=vi
$ knife encrypted attribute create ftp.example.com myapp.ftp_password \
    -U bob -U alice

knife encrypted attribute update

Updates who can read the attribute (for :client_search and :node_search changes).

$ knife encrypted attribute update NODE ATTRIBUTE (options)

You must be careful to pass the same privilege arguments that you used in its creation (this will surely be fixed in a future).

For example:

$ knife encrypted attribute update ftp.example.com myapp.ftp_password \
    --client-search admin:true \
    --node-search role:webapp \
    -U bob -U alice

knife encrypted attribute edit

Edits an existing encrypted attribute. The attribute must exist.

$ knife encrypted attribute edit NODE ATTRIBUTE (options)

If the input is in JSON format (-i), you can create a JSON in quirk mode like false, 5 or "some string". You don’t need to create an Array or a Hash as the JSON standard forces.

You must be careful to pass the same privilege arguments that you used in its creation (this will surely be fixed in a future).

For example:

$ export EDITOR=vi
$ knife encrypted attribute edit ftp.example.com myapp.ftp_password \
    --client-search admin:true \
    --node-search role:webapp \
    -U bob -U alice

knife encrypted attribute delete

Deletes an existing attribute. If you have no privileges to read it, you must use the --force flag.

$ knife encrypted attribute delete NODE ATTRIBUTE (options)

For example:

$ knife encrypted attribute delete ftp.example.com myapp.ftp_password --force

Knife Options

Short Long Description Valid Values Sub-Commands
  --encrypted-attribute-version Encrypted Attribute protocol version to use "0", "1" (default), "2" create, edit, update
-P --disable-partial-search Disable partial search   create, edit, update
-C --client-search Client search query. Can be specified multiple times   create, edit, update
-N --node-search Node search query. Can be specified multiple times   create, edit, update
-U --user User name to allow access to. Can be specified multiple times   create, edit, update
-i --input-format Input (EDITOR) format "plain" (default), "json" create, edit
-f --force Force the attribute deletion even if you cannot read it   delete