Create Chef encrypted data bag without Chef

This article was published 3 years ago. Due to the rapidly evolving world of technology, some concepts may no longer be applicable.

This is the other half to how to decrypt an encrypted Chef databag without Knife

The script reads JSON data from STDIN and writes encrypted data to STDOUT.

require 'json'
require 'chef/encrypted_data_bag_item'
secret = Chef::EncryptedDataBagItem.load_secret('./encrypted_data_bag_secret')
encrypted_data = Chef::EncryptedDataBagItem.encrypt_data_bag_item(JSON.parse(, secret)

puts encrypted_data.to_json

Make sure to change secret to be the path to your data bag secret.

Invoke the script using Chef’s built in Ruby to make sure that the Chef gem is available

cat input_data.json | /opt/chefdk/embedded/bin/ruby script.rb > enc_databag.json

Thoughts on this post

Leave a comment?

Leave a Reply