[chef] encrypted databag sadness

[Maven User < >]

Hi all -

We're contemplating storing the values of some ssl keys and certificates in an encrypted databag, but I have a couple of questions:

1 - Is there a way to have "local" encrypted databags?  I was able to create an encrypted databag on our chef server, list the encrypted values and copy/pasted them into a local json file.  Using the key that will successfully decrypt the values from the databag stored on the server, I cannot decrypt the same values out of the local .json file.  Shouldn't that work?

2 - What is the standard way to get the key for decrypting databag values on a machine?  We're trying to do this in an automated fashion and haven't found a place that best suits automated bootstrapping - what are people doing?

3 - Some of the crt and key values are escape characters - is it possible to escape them without screwing up the actual values?

Thanks a million :-/