diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4d3e00027..6f1780f88 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,8 @@
 IMPROVEMENTS:
 
   - guests/linux: emit upstart event when NFS folders are mounted. [GH-2705]
+  - provisioners/chef-solo: Encrypted data bag secret is removed from the
+    machine after provisioning. [GH-2712]
 
 BUG FIXES:
 
diff --git a/plugins/provisioners/chef/provisioner/chef_solo.rb b/plugins/provisioners/chef/provisioner/chef_solo.rb
index 3e2853325..4fd2930bd 100644
--- a/plugins/provisioners/chef/provisioner/chef_solo.rb
+++ b/plugins/provisioners/chef/provisioner/chef_solo.rb
@@ -52,6 +52,7 @@ module VagrantPlugins
           setup_json
           setup_solo_config
           run_chef_solo
+          delete_encrypted_data_bag_secret
         end
 
         # Converts paths to a list of properly expanded paths with types.
@@ -113,6 +114,12 @@ module VagrantPlugins
           end
         end
 
+        def delete_encrypted_data_bag_secret
+          @machine.communicate.tap do |comm|
+            comm.sudo("rm -f #{@config.encrypted_data_bag_secret}", error_check: false)
+          end
+        end
+
         def upload_encrypted_data_bag_secret
           @machine.env.ui.info I18n.t("vagrant.provisioners.chef.upload_encrypted_data_bag_secret_key")
           @machine.communicate.tap do |comm|