The EncryptedDataBagItem uses YAML to serialize values prior to encrypting them. Ruby 1.9 introduces multiple YAML implementations as engines. Using a different YAML engine on encryption and decryption can cause subtle errors in output values.
Chef should fixate one of the two YAML Engines in code to ensure the same engine is used when creating/uploading an encrypted data bag from file and within chef-client during a configuration run.
I've created a pull request on the opscode/chef repo to fix this issue:
I've also created a simple example data bag and a shell script to swap the YAML Engines showing the bug in action to help reproduce the issue, in the following gist:
This bug resulted in un-parseable values being generated from our encrypted data bags, which store critical application secrets and ids.