At $job, we use a version of chef-client which is woefully out of date. We’ll get around to fixing it, but until we do, I ran into a unique problem with encrypted data bags that I hadn’t seen documented anywhere on the internet. Hence this blog post.

My version of knife is:

knife --version
Chef: 14.1.12

When I create an encrypted data bag, it uses version 3 of Chef’s data bag encryption. When I try to use that data bag with our ancient version of Chef, it results in:

Chef::EncryptedDataBagItem::UnsupportedEncryptedDataBagItemFormat
-----------------------------------------------------------------
This version of chef does not support encrypted data bag item format version '3'

I couldn’t find anything at all on the internet about how to fix this, or how to arbitrarily specify which version of encryption I wanted when creating the data bag. And I still haven’t found an elegant solution to it.

Inelegant solution

But I did find an inelegant solution, which is to download a super old version of chef-client, the same one that we use on our servers. I installed it in a throwaway Docker container. When you install chef-client, it also installs knife, which I was then able to use to create an encrypted data bag, and it used encryption version 1, which works with our super old version of chef-client.

It’s definitely a hacky workaround, but I’ll take what I can get.