Password encryption

When is chef going to let inspec use the data bags or a password she as openssl for logging into nodes. Since you allow ssh, winram and docker you make the users place there password in plan text. This is not good for 80% of the companies.

Configure the inspec node to be able to interact with chef-server through knife.
Then simply populate on the fly the password property with the desired data bag:
knife data bag show your_bag your_secret --secret-file path_to_your_key when you run your inspec_exec command

Yes that would have worked if you are using the inspec in chefdk, but when it was separated they both inspec and chef have there own embedded ruby and own gems. So what that means is you can’t get the encryption data bag, also what if you are just using inspec and not chef.

InSpec is still part of the ChefDK. We do release InSpec more frequently than the ChefDK is released, and InSpec is available as a standalone download from, but you absolutely can still use InSpec as part of the ChefDK.

InSpec has a concept of profile attributes which allows you to dynamically pass in data, such as secret data, so that they do not have to be encoded within your profiles. We currently support YAML as the input format with intentions of supporting other formats and backends in the future.


Well that is interesting but I don’t want all my systems to have chefdk on them to be able to use the data bag decryption, plus it looks like that yaml file profile is a plain text password. Why can you fix inspec to support its own openssl.

InSpec is getting better every single day thanks to the feedback of its users. That does mean that InSpec doesn’t meet everyone’s needs today. As I mentioned in my past message, we have intentions on making our handling of secrets better in the future.

Please feel free to log a feature request in our GitHub repo or look to see if there’s already an issue open describing your use case. You can find our repo at


Adam I heard that this was brought up at chef conf and was said that this wasn’t going to be addressed. This is hear say, as I didn’t attend. Also we are a enterprise customer and had one of your chef consultants here onsite for weeks and said the same thing.