fnichol · maksar · Aug 3, 2013 · theckman · Nov 7, 2016
diff --git a/README.md b/README.md
@@ -222,6 +222,20 @@ by the `data_bag` recipe to use as a database of user accounts.
 
 The default is `"users"`.
 
+### <a name="attributes-data-bag-encrypted"></a> data_bag_encrypted
+
+Indicates whether data bag is encrypted or not.
+
+The default is `"false"`.
+
+### <a name="attributes-data-bag-encryption_key"></a> data_bag_encryption_key
+
+Encryption key to use, if `data_bag_encrypted` attribute is set to `true`.
+Key defined in `encrypted_data_bag_secret` attribute inside `knife.rb` will
+be used if case of `nil` value.
+
+The default is `nil`.
+
 ### <a name="attributes-user-array-node-attr"></a> user_array_node_attr
 
 The node attributes containing an array of users to be managed. If a nested

diff --git a/attributes/default.rb b/attributes/default.rb
@@ -41,7 +41,9 @@
 default['user']['ssh_keygen']         = "true"
 default['user']['non_unique']         = "false"
 
-default['user']['data_bag_name']        = "users"
-default['user']['user_array_node_attr'] = "users"
+default['user']['data_bag_name']           = "users"
+default['user']['data_bag_encrypted']      = false
+default['user']['data_bag_encryption_key'] = nil
+default['user']['user_array_node_attr']    = "users"
 
 default[default['user']['user_array_node_attr']] = []
diff --git a/recipes/data_bag.rb b/recipes/data_bag.rb
@@ -30,7 +30,14 @@
 
 # only manage the subset of users defined
 Array(user_array).each do |i|
-  u = data_bag_item(bag, i.gsub(/[.]/, '-'))
+  name = i.gsub(/[.]/, '-')
+
+  u = if node['user']['data_bag_encrypted']
+    Chef::EncryptedDataBagItem.load(bag, name, node['user']['data_bag_encryption_key'])
+  else
+    data_bag_item(bag, name)
+  end
+
   username = u['username'] || u['id']
 
   user_account username do