Decrypt Chef encrypted data bag without Knife

This article was published 3 years ago. Due to the rapidly evolving world of technology, some concepts may no longer be applicable.

I found myself in the strange situation where I had an encrypted data bag and the secret key but no way to decrypt it without my friendly operations coworkers.

This script solved all my issues, writing the decrypted data to stdout.

require 'chef/encrypted_data_bag_item'
require 'json'

keyfile = "./secret_environment.key"
encrypted_path = "./my-secret-file.json"

secret = Chef::EncryptedDataBagItem.load_secret(keyfile)
encrypted_data = JSON.parse(
plain_data =, secret).to_hash
puts JSON.generate(plain_data)

Make sure to change keyfile and encrypted_path to match your files.

Invoke the script using Chef’s built in Ruby to make sure that the Chef gem is available

/opt/chefdk/embedded/bin/ruby script.rb > decrypted.json

Thoughts on this post

Jonathan 2016-08-08

Thanks! This worked great and helped me get what I needed without having to get a Chef server up and running.

Saurabh Hirani 2017-08-10

Thanks – this was useful info.

Steve 2018-12-26

Still works, decrypting an older databag that had been stored in source control. Thanks!

Leave a comment?

Leave a Reply