Merge pull request #5877 from chef/tm/db_encrypt_version

Use v3 data bag encryption

3 files changed, 10 insertions, 13 deletions

diff --git a/Gemfile.lock b/Gemfile.lock
index da643a26f1..e0b6e4bb34 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -222,7 +222,7 @@ GEM
       logify (~> 0.1)
       mime-types
     chef-sugar (3.4.0)
-    chef-zero (5.3.0)
+    chef-zero (5.3.1)
       ffi-yajl (~> 2.2)
       hashie (>= 2.0, < 4.0)
       mixlib-log (~> 1.3)
diff --git a/chef-config/lib/chef-config/config.rb b/chef-config/lib/chef-config/config.rb
index 3a55c8233d..bb516942df 100644
--- a/chef-config/lib/chef-config/config.rb
+++ b/chef-config/lib/chef-config/config.rb
@@ -606,13 +606,10 @@ module ChefConfig
       end
     end
 
-    # As of Chef 11.0, version "1" is the default encrypted data bag item
-    # format. Version "2" is available which adds encrypt-then-mac protection.
-    # To maintain compatibility, versions other than 1 must be opt-in.
+    # As of Chef 13.0, version "3" is the default encrypted data bag item
+    # format.
     #
-    # Set this to `2` if you have chef-client 11.6.0+ in your infrastructure.
-    # Set this to `3` if you have chef-client 11.?.0+, ruby 2 and OpenSSL >= 1.0.1 in your infrastructure. (TODO)
-    default :data_bag_encrypt_version, 1
+    default :data_bag_encrypt_version, 3
 
     # When reading data bag items, any supported version is accepted. However,
     # if all encrypted data bags have been generated with the version 2 format,
diff --git a/spec/unit/encrypted_data_bag_item_spec.rb b/spec/unit/encrypted_data_bag_item_spec.rb
index a8fb144bf7..14b5d9eb28 100644
--- a/spec/unit/encrypted_data_bag_item_spec.rb
+++ b/spec/unit/encrypted_data_bag_item_spec.rb
@@ -39,7 +39,7 @@ describe Chef::EncryptedDataBagItem::Encryptor do
   let(:key) { "passwd" }
 
   it "encrypts to format version 1 by default" do
-    expect(encryptor).to be_a_instance_of(Chef::EncryptedDataBagItem::Encryptor::Version1Encryptor)
+    expect(encryptor).to be_a_instance_of(Chef::EncryptedDataBagItem::Encryptor::Version3Encryptor)
   end
 
   describe "generating a random IV" do
@@ -66,8 +66,8 @@ describe Chef::EncryptedDataBagItem::Encryptor do
       final_data = encryptor.for_encrypted_item
       expect(final_data["encrypted_data"]).to eq encryptor.encrypted_data
       expect(final_data["iv"]).to eq Base64.encode64(encryptor.iv)
-      expect(final_data["version"]).to eq 1
-      expect(final_data["cipher"]).to eq "aes-256-cbc"
+      expect(final_data["version"]).to eq 3
+      expect(final_data["cipher"]).to eq "aes-256-gcm"
     end
   end
 
@@ -238,7 +238,7 @@ describe Chef::EncryptedDataBagItem::Decryptor do
   context "when decrypting a version 1 (JSON+aes-256-cbc+random iv) encrypted value" do
 
     let(:encrypted_value) do
-      Chef::EncryptedDataBagItem::Encryptor.new(plaintext_data, encryption_key).for_encrypted_item
+      Chef::EncryptedDataBagItem::Encryptor::Version1Encryptor.new(plaintext_data, encryption_key).for_encrypted_item
     end
 
     it "selects the correct strategy for version 1" do
@@ -336,7 +336,7 @@ describe Chef::EncryptedDataBagItem do
     end
 
     it "encrypts non-collection objects" do
-      expect(encoded_data["greeting"]["version"]).to eq 1
+      expect(encoded_data["greeting"]["version"]).to eq 3
       expect(encoded_data["greeting"]).to have_key("iv")
 
       iv = encoded_data["greeting"]["iv"]
@@ -346,7 +346,7 @@ describe Chef::EncryptedDataBagItem do
     end
 
     it "encrypts nested values" do
-      expect(encoded_data["nested"]["version"]).to eq 1
+      expect(encoded_data["nested"]["version"]).to eq 3
       expect(encoded_data["nested"]).to have_key("iv")
 
       iv = encoded_data["nested"]["iv"]