Use chef-vault instead of 'plain' encrypted data bags
chef-vault removes the need for managing 'encrypted_data_bag_secret' files and remove the risk of 'double-encrypting' a data bag (I think). It is also potentially more complicated, and we would have to adapt the cookbook.
What changes is that instead of encrypting via a shared secret, you now use public-key cryptography to 'address' a secret from an admin to a node (or rather, to the Chef client private key of that node). This means that if you add/remove nodes, you need to 're-send' the secret. The secret is still stored in a data bag.
At GitLab B.V. we are currently juggling three different shared secrets for data bags and this already causes problems. It might be worth it to do the development work to switch to Chef Vault.