Create Chef encrypted data bag without Chef

30 Jun 2016 in Infrastructure

This is the other half to how to decrypt an encrypted Chef databag without Knife

The script reads JSON data from STDIN and writes encrypted data to STDOUT.

require 'json'
require 'chef/encrypted_data_bag_item'
secret = Chef::EncryptedDataBagItem.load_secret('./encrypted_data_bag_secret')
encrypted_data = Chef::EncryptedDataBagItem.encrypt_data_bag_item(JSON.parse(, secret)

puts encrypted_data.to_json

Make sure to change secret to be the path to your data bag secret.

Invoke the script using Chef's built in Ruby to make sure that the Chef gem is available

cat input_data.json | /opt/chefdk/embedded/bin/ruby script.rb > enc_databag.json