So, I’ve gone through the documentation at http://docs.opscode.com/chef/essentials_data_bags.html, http://docs.opscode.com/essentials_data_bags_encrypt.html, and http://docs.opscode.com/knife_data_bag.html, and I’m a little confused by the behaviour we’re seeing.
From what I can tell, encrypted data bags are implemented on top of regular data bags, and since the goal is primarily to protect the data while it’s on the Chef server (e.g., in case of compromise of Hosted Chef), it seems to me that all of the crypto should be done on the client side.
OTOH, from what I can tell, it seems that you have to actually have a Chef server in order to be able to interact with and use encrypted data bags, which precludes their use with Chef Solo.
Is that correct? If so, can someone explain to me why that is the case? What is keeping Chef Solo from being able to use encrypted data bags with the same shared secret?
Also, any word on http://tickets.opscode.com/browse/CHEF-4233? From what we can see, if you create the encrypted data bag on a workstation running knife where Chef 10.18.2 is installed, this situation doesn’t seem to happen. In contrast, if you use knife from a Chef 11.x box, you get the extra keys which bork everything.