Create Chef encrypted data bag without Chef

This is the other half to how to decrypt an encrypted Chef databag without Knife

The script reads JSON data from STDIN and writes encrypted data to STDOUT.

require 'json'
require 'chef/encrypted_data_bag_item'
secret = Chef::EncryptedDataBagItem.load_secret('./encrypted_data_bag_secret')
encrypted_data = Chef::EncryptedDataBagItem.encrypt_data_bag_item(JSON.parse(, secret)

puts encrypted_data.to_json

Make sure to change secret to be the path to your data bag secret.

Invoke the script using Chef’s built in Ruby to make sure that the Chef gem is available

cat input_data.json | /opt/chefdk/embedded/bin/ruby script.rb > enc_databag.json

Michael is a polyglot software engineer, committed to reducing complexity in systems and making them more predictable. Working with a variety of languages and tools, he shares his technical expertise to audiences all around the world at user groups and conferences. You can follow @mheap on Twitter

Thoughts on this post

Leave a comment?

Leave a Reply