Databag Key not found on node

While using Chef’s Databag, I created a databag on workstation with an openssl key for encryption.

Now when calling chef-client on a node to call the recipes and databag use on the node, I need the key to decrypt my databag item on the node.

How can i manage my openssl key so that node can also read that

What i tried was I kept the key in files and then using cookbook_file resource to call the key at runtime on node but the issue is that before the cookbook_file resource runs the Encrypted key_load function searches for the key on node and gives an error.

How to get rid of the problem


What you are trying to achieve sounds pretty much like what chef-vault ( does. Did you consider using it?

As mentioned…how can i use a template to load my key from my workstation to the node at runtime

When trying to call the key through cookbook_file resource …and using the below mentioned code inside a recipe along with cookbook_file resource then before running this resource my_secret is trying to load the path and the file is missing because cookbook_file will run after this but it should run before.


And this secret key needs to be created from cookbook_file… which should run before the load command but it is running afterwards

If you create the secret key by a cookbook_file then encrypting is useless at all. This undermines every security. Please, you should really have a look at chef-vault.

However, if you really want to do it this way, although this makes encryption useless, have a look at lazy evaluation: This is exactly what you want/need.

Can you explain chef vault via an example code so that it can be clear
I am not clear with that concept
Can you explain with a databag having password to be handled

There are already numerous blog posts and presentations out there about Chef Vault. The latest one from this years chef conf for example is quite good:
And for managing passwords in Chef-Vault there is this slightly old post: