So I created an encrypted data bag using knife on MacOS, specifying a secrets file. If I run knife data bag show bag key --secret /path/to/secret it decrypts fine and I see the correct result.
Now, if I copy the secret file to windows, the decrypt fails. I have a windows share mounted on my Mac, and copied the file there, and reran the command specifying the mounted path. Bad decrypt.
I md5'd both files - they're both identical. I checked line endings - the file actually has no line ending (the secret is a single line string), so not that.
As a sanity test I copied the file back from windows to another folder on my mac and ran the decrypt again - it now fails locally too. But yet the md5 says it's the identical file. The permissions are 777, it's chowned correctly. The file looks absolutely identical. It's the same file, yet it won't work.
So now I have two secrets files, both identical in every way I can detect, and one works, and the other doesn't. What on earth could be causing this, as I'm slowly losing my mind here.
Just for anyone else that's going insane with this:
--secret specifies the secret text inline
--secret-file specifies a path to a file containing the secret text.
The common mistake here is to use --secret to specify a path to a file, whereas what you're actually doing is making the actual path itself the secret text, not the file!