How to encrypt an already existing data bag?

I created some data bags from the Chef Manage UI and now I want to encrypt them using the --secret option. I can’t find any information on how to do that. Any assistance with this would be appreciated…

Thank You!


While I believe it’s possible to encrypt an existing data bag with ‘knife data bag edit’ by providing it an encryption key, the easiest thing to do would be to delete and recreate the data bag.

You can back up any created data bags locally with “knife download data_bags/”, and delete any item with “knife data bag delete DATABAGNAME [DATABAG_ITEM_NAME]”.

Then to re-create with encryption, there are a couple of options. To manage a key yourself, you’ll first need to create a key, and then run the “knife data bag from file” command with the --secret-file flag pointing to the location of the key you generated. More detail on this process can be found here:

The only caveat is that you’ll be responsible for determining how to share that key with the nodes that require it, and that often means pulling from a trusted data store with its own authentication (Amazon S3, Protected shared mount, etc).

An alternative is to use chef vault, which allows you to create encrypted data bags that will use nodes’ already existing client keys (the ones used to authenticate with the chef server) to authorize decryption. You can then maintain a whitelist of which machines should have access to a particular data bag, and authorize/revoke accordingly. Some information on setting up a data bag as a vault item can be found in this blog post:

Hope that helps! Let us know how it goes.