Backup secrets when using chef-vault

For example I used chef-vault for distribute passwords.

How I can understand:

When we creating a vault with:

 knife encrypt create databag item

chef-vault create TWO databag’s:

 databag item


 databag item_keys

Values from second data bag item is encrypted with client public keys
stored on chef-server, which is allowed to decrypt values.

But I cannot what is stored in first data bag ?

If I backup created by chef vault bags via knife
download(knife-essentials), and then

lose all private keys of nodes(admins). For example fire up building
with nodes including admin machine’s

I cannot decrypt my passwords ?

How I can understand, If I doesn’t have a my admin key in knife.rb and
my admin machine I cannot show values by command?

knife encrypt show databag item

And latest question:

What do you think about next strategy:

  1. Store a secrets only in one place in plaintext. For example on
    cryptfs filesystem with a VCS system.

For example json files + script to upload this json databags to server
with a knife encrypt create

So I can be sure that passwords and other sensitive information for
deploy all of our infrastructure is in one place.

And for backup I can use Strong ENCRYPTED Usb flashdrives.

This is a simple solution and very good - i think? Is not it ?

Best regards,

CVision Lab System Administrator
Vladmir Skubriev