diff --git a/CHANGELOG.md b/CHANGELOG.md
index b7d91434d..b76743715 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -71,6 +71,8 @@ BUG FIXES:
   - hosts/gentoo: Support systemd for NFS startup. [GH-2382]
   - providers/virtualbox: Don't start new VM if VirtualBox has transient
     failure during `up` from suspended. [GH-2479]
+  - provisioners/chef: Chef client encrypted data bag secrets are now
+    uploaded to the provisioning path to avoid perm issues. [GH-1246]
   - provisioners/salt: Bootstrap on FreeBSD systems work. [GH-2525]
 
 ## 1.3.5 (October 15, 2013)
diff --git a/plugins/provisioners/chef/config/chef_client.rb b/plugins/provisioners/chef/config/chef_client.rb
index 20fc4c17a..ba72aecb5 100644
--- a/plugins/provisioners/chef/config/chef_client.rb
+++ b/plugins/provisioners/chef/config/chef_client.rb
@@ -11,7 +11,6 @@ module VagrantPlugins
         attr_accessor :delete_client
         attr_accessor :delete_node
         attr_accessor :encrypted_data_bag_secret_key_path
-        attr_accessor :encrypted_data_bag_secret
         attr_accessor :environment
         attr_accessor :validation_key_path
         attr_accessor :validation_client_name
@@ -24,12 +23,17 @@ module VagrantPlugins
           @delete_client                      = UNSET_VALUE
           @delete_node                        = UNSET_VALUE
           @encrypted_data_bag_secret_key_path = UNSET_VALUE
-          @encrypted_data_bag_secret          = UNSET_VALUE
           @environment                        = UNSET_VALUE
           @validation_key_path                = UNSET_VALUE
           @validation_client_name             = UNSET_VALUE
         end
 
+        def encrypted_data_bag_secret=(value)
+          puts "DEPRECATION: Chef encrypted_data_bag_secret has no effect anymore."
+          puts "Remove this from your Vagrantfile since it'll be removed in the next"
+          puts "Vagrant version."
+        end
+
         def finalize!
           super
 
@@ -38,7 +42,6 @@ module VagrantPlugins
           @delete_client = false if @delete_client == UNSET_VALUE
           @delete_node = false if @delete_node == UNSET_VALUE
           @encrypted_data_bag_secret_key_path = nil if @encrypted_data_bag_secret_key_path == UNSET_VALUE
-          @encrypted_data_bag_secret          = "/tmp/encrypted_data_bag_secret" if @encrypted_data_bag_secret == UNSET_VALUE
           @environment = nil if @environment == UNSET_VALUE
           @validation_client_name = "chef-validator" if @validation_client_name == UNSET_VALUE
           @validation_key_path = nil if @validation_key_path == UNSET_VALUE
diff --git a/plugins/provisioners/chef/provisioner/chef_client.rb b/plugins/provisioners/chef/provisioner/chef_client.rb
index d5d259060..4f6db057f 100644
--- a/plugins/provisioners/chef/provisioner/chef_client.rb
+++ b/plugins/provisioners/chef/provisioner/chef_client.rb
@@ -46,7 +46,7 @@ module VagrantPlugins
         def upload_encrypted_data_bag_secret
           @machine.env.ui.info I18n.t("vagrant.provisioners.chef.upload_encrypted_data_bag_secret_key")
           @machine.communicate.upload(encrypted_data_bag_secret_key_path,
-                                  @config.encrypted_data_bag_secret)
+            guest_encrypted_data_bag_secret_key_path)
         end
 
         def setup_server_config
@@ -57,7 +57,7 @@ module VagrantPlugins
             :validation_key => guest_validation_key_path,
             :client_key => @config.client_key_path,
             :environment => @config.environment,
-            :encrypted_data_bag_secret => @config.encrypted_data_bag_secret
+            :encrypted_data_bag_secret => guest_encrypted_data_bag_secret_key_path,
           })
         end
 
@@ -68,7 +68,9 @@ module VagrantPlugins
 
           command_env = @config.binary_env ? "#{@config.binary_env} " : ""
           command_args = @config.arguments ? " #{@config.arguments}" : ""
-          command = "#{command_env}#{chef_binary_path("chef-client")} -c #{@config.provisioning_path}/client.rb -j #{@config.provisioning_path}/dna.json #{command_args}"
+          command = "#{command_env}#{chef_binary_path("chef-client")} " +
+            "-c #{@config.provisioning_path}/client.rb " +
+            "-j #{@config.provisioning_path}/dna.json #{command_args}"
 
           @config.attempts.times do |attempt|
             if attempt == 0
@@ -100,6 +102,11 @@ module VagrantPlugins
           File.expand_path(@config.encrypted_data_bag_secret_key_path, @machine.env.root_path)
         end
 
+        def guest_encrypted_data_bag_secret_key_path
+          File.join(@config.provisioning_path,
+            "encrypted_data_bag_secret_key.pem")
+        end
+
         def guest_validation_key_path
           File.join(@config.provisioning_path, "validation.pem")
         end
diff --git a/templates/provisioners/chef_client/client.erb b/templates/provisioners/chef_client/client.erb
index f2478483a..d2e4be31e 100644
--- a/templates/provisioners/chef_client/client.erb
+++ b/templates/provisioners/chef_client/client.erb
@@ -13,7 +13,7 @@ client_key             "<%= client_key %>"
 
 encrypted_data_bag_secret "<%= encrypted_data_bag_secret %>"
 
-<% unless environment.nil? %>
+<% if environment %>
 environment        "<%= environment %>"
 <% end %>