We enable encryption by using the output_filter method to our lookup in our policy:

policy :default do

   lookup :default do
     datasource :file, {
       :format     => :yaml,
       :docroot    => "/var/lib/jerakia",
       :searchpath => [
         "hostname/#{scope[:fqdn]}",
         "environment/#{scope[:environment]}",
         "common",
        ],
     }
     output_filter :encryption
   end

 end

This instructs Jerakia to pass everything to the encryption filter and to match all the retrieved values against the signature of the encryption provider. If a match is made, the encryption provider will be used to decrypt the value before it is returned.