Using multiple keys to read different encrypted databags on the same node


I have the use case where I have certain secrets that all my machines need
access to, say the password that our lousy backup software uses, and other
secrets that only certain machines need access to, such as the the username
and password that a GIS application uses to access the database.

I hacked together a little solution. Does anyone else find this useful?

It requires having the following value in your client.rb

encrypted_data_bag_secret_path “/some/path/”


  •   def self.load_alt_key(data_bag, name, secret_file)
  • path = "data/#{data_bag}/#{name}"
  • raw_hash = Chef::DataBagItem.load(data_bag, name)
  •           if Chef::Config[:encrypted_data_bag_secret_path] and


  •                   secret_file =

Chef::Config[:encrypted_data_bag_secret_path] + ‘/’ + secret_file

  •           else
  •                   raise ArgumentError, "Invalid secret_file or


  •           end
  • secret = self.load_secret(secret_file)
  •, secret)
  • end