diff --git a/lib/chef-vault/item.rb b/lib/chef-vault/item.rb
index b032c69b..aa574678 100644
--- a/lib/chef-vault/item.rb
+++ b/lib/chef-vault/item.rb
@@ -160,10 +160,11 @@ def remove(key)
     end
 
     def secret
-      if @keys.include?(@node_name) && !@keys[@node_name].nil?
+      data_bag_key = @keys[@node_name]
+      if !data_bag_key.nil?
         private_key = OpenSSL::PKey::RSA.new(File.open(@client_key_path).read)
         begin
-          private_key.private_decrypt(Base64.decode64(@keys[@node_name]))
+          private_key.private_decrypt(Base64.decode64(data_bag_key))
         rescue OpenSSL::PKey::RSAError
           raise ChefVault::Exceptions::SecretDecryption,
             "#{data_bag}/#{id} is encrypted for you, but your private key failed to decrypt the contents.  "\
diff --git a/lib/chef-vault/item_keys.rb b/lib/chef-vault/item_keys.rb
index 8c3cfd27..4787acfe 100644
--- a/lib/chef-vault/item_keys.rb
+++ b/lib/chef-vault/item_keys.rb
@@ -34,9 +34,12 @@ def initialize(vault, name)
       @raw_data["search_query"] = []
       @raw_data["mode"] = "default"
       @cache = {} # write-back cache for keys
+      @tmpcache = {}
     end
 
     def [](key)
+      # return if cache contains client key
+      return @tmpcache[key] if @tmpcache.key?(key)
       # return options immediately
       return @raw_data[key] if %w{id admins clients search_query mode}.include?(key)
 
@@ -47,6 +50,7 @@ def [](key)
       # check if the key is saved in sparse mode
       skey = sparse_key(sparse_id(key)) if sparse?
       if skey
+        @tmpcache[key] = skey[key]
         skey[key]
       else
         # fallback to raw data
@@ -89,6 +93,7 @@ def clear_encrypted
 
     def delete(chef_key)
       @cache[chef_key.name] = false
+      @tmpcache = {}
       raw_data[chef_key.type].delete(chef_key.name)
       raw_data.delete(chef_key.name)
     end