Keeping this one short and simple. Sometimes you have the need to backup your encrypted data bags from your Chef Server. If you just run a knife data bag show, knife will automatically load your local knife.rb and decrypt the data bag when it outputs. This defeats the purpose of keeping an encrypted backup.

I’ve seen some hacks where people remove the encrypted_data_bag_secret parameter from their knife.rb, but in recent version, knife will just error out when it fails to decrypt an encrypted data bag.

Sharpening Your Knife Skills

To get around this, the following utilizes the knife raw sub-command which returns the raw response from the Chef Server. Redirecting the output to a file allows us to quickly, and most importantly, in a script friendly way, backup data bag items.

Example:knife raw /data/users/persona -z > users/persona.json

The following script takes this a step further and will grab a list of your data bags, recurse and grab a list of the data bag items, and create the backup directory for storing them locally.for databag in $(knife data bag list); do
   for item in $(knife data bag show $databag); do
       mkdir -p bkp/$databag/
       knife raw /data/$databag/$item > bkp/$databag/$item.json
   done;
done

You can of course be creative with your use of your new encrypted data bag output.

Share this post