[chef] Encrypted Data Bags - Preemptive Key Retrieval

[FusionX86 < >]

Hello,

I’m using encrypted data bags in one of my cookbooks. I have the secret key stored in another secure network location that nodes can access as needed. I’d like to have the recipe retrieve the secret key, use it, and then delete the key on the node when finished. I’m having trouble getting those steps to happen in the proper order and while I understand why, I haven’t been able to find a satisfactory solution. The point is to avoid letting the key sit unused on the node.

When the server is first provisioned, I put a dummy key at /etc/chef/encrypted_data_bagsecret so that load_secret doesn’t fail when trying to find it. In my cookbook I have something like:
_________

Bash “pull-key” do
  code <<-EOH
  Rename dummy key
  Copy the real key from network location to local file system
  EOH
end

key = Chef::EncryptedDataBagItem.load_secret(“/etc/chef/encrypted_data_bag_secret”)
db_secrets = Chef::EncryptedDataBagItem.load(“passwords”, “database”, key)
db_pass = db_secrets[“db_pass”]

. . .

Bash “pull-key” do
  code <<-EOH
  Delete real key
  Rename dummy back
  EOH
end
_________

The EncryptedDataBagItem.load line passes fine, but accessing the bag is where I’m stuck. Chef wants to decrypt the bag with the real key and assign the variable before the real key has even been copied to the node. I thought about using another tool like Jenkins or something to first initiate a copy of the key and then trigger chef-client, but that breaks my automation process. Is it possible to somehow force the copy to happen before data bag is accessed?