diff --git a/README.md b/README.md
index 039e1b19..502bac17 100644
--- a/README.md
+++ b/README.md
@@ -94,6 +94,8 @@ To use encrypted passwords, you must create an encrypted data bag. This cookbook
 
 This cookbook expects a `mysql` item  and a `system` item. Please refer to the official documentation on how to get this setup. It actually uses a MySQL example so it can be mostly copied. Ensure you cover the data bag items as described below.
 
+You also may set expected item names via attributes `node["percona"]["encrypted_data_bag_item_mysql"]` and `node["percona"]["encrypted_data_bag_item_system"]`.
+
 ### Skip passwords
 Set the `["percona"]["skip_passwords"]` attribute to skip setting up passwords. Removes the need for the encrypted data bag if using chef-solo. Is useful for setting up development and ci environments where you just want to use the root user with no password. If you are doing this you may want to set `[:percona][:server][:debian_username]` to be `"root"` also.
 
@@ -130,7 +132,7 @@ Above shows the encrypted password in the data bag. Check out the `encrypted_dat
 
 ### Replication over SSL
 To enable SSL based replication, you will need to flip the attribute `node[:percona][:server][:replication][:ssl_enabled]` to `true` and add a new data_bag item
-to the percona encrypted data_bag (see `node[:percona][:encrypted_data_bag]` attribute) with the id `ssl_replication` that contains this data:
+to the percona encrypted data_bag (see`node[:percona][:encrypted_data_bag]` attribute) with the id `ssl_replication` ( see `node["percona"]["encrypted_data_bag_item_sslrep"]` attribute) that contains this data:
 
 ```javascript
 {
diff --git a/attributes/default.rb b/attributes/default.rb
index 1b1a961f..9989ea50 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -38,6 +38,9 @@
 default["percona"]["keyserver"] = "keys.gnupg.net"
 default["percona"]["encrypted_data_bag"] = "passwords"
 default["percona"]["encrypted_data_bag_secret_file"] = ""
+default["percona"]["encrypted_data_bag_item_mysql"] = "mysql"
+default["percona"]["encrypted_data_bag_item_system"] = "system"
+default["percona"]["encrypted_data_bag_item_sslrep"] = "ssl_replication"
 default["percona"]["use_chef_vault"] = false
 default["percona"]["skip_passwords"] = false
 default["percona"]["skip_configure"] = false
diff --git a/libraries/passwords.rb b/libraries/passwords.rb
index 0fe3641f..181bdfdf 100644
--- a/libraries/passwords.rb
+++ b/libraries/passwords.rb
@@ -8,6 +8,8 @@ def initialize(node, bag = "passwords")
       @node = node
       @bag = bag
       @secret_file = node["percona"]["encrypted_data_bag_secret_file"]
+      @mysql_item = node["percona"]["encrypted_data_bag_item_mysql"]
+      @system_item = node["percona"]["encrypted_data_bag_item_system"]
     end
 
     # helper for passwords
@@ -32,32 +34,33 @@ def find_password(item, user, default = nil)
 
     # mysql root
     def root_password
-      find_password "mysql", "root", node_server["root_password"]
+      find_password @mysql_item, "root", node_server["root_password"]
     end
 
     # debian script user password
     def debian_password
       find_password(
-        "system", node_server["debian_username"], node_server["debian_password"]
+        @system_item, node_server["debian_username"],
+        node_server["debian_password"]
       )
     end
 
     # ?
     def old_passwords
-      find_password "mysql", "old_passwords", node_server["old_passwords"]
+      find_password @mysql_item, "old_passwords", node_server["old_passwords"]
     end
 
     # password for user responsbile for replicating in master/slave environment
     def replication_password
       find_password(
-        "mysql", "replication", node_server["replication"]["password"]
+        @mysql_item, "replication", node_server["replication"]["password"]
       )
     end
 
     # password for user responsbile for running xtrabackup
     def backup_password
       backup = node["percona"]["backup"]
-      find_password "mysql", backup["username"], backup["password"]
+      find_password @mysql_item, backup["username"], backup["password"]
     end
 
     private
diff --git a/recipes/ssl.rb b/recipes/ssl.rb
index 39176e55..94929e7c 100644
--- a/recipes/ssl.rb
+++ b/recipes/ssl.rb
@@ -12,7 +12,10 @@
   mode "0700"
 end
 
-certs = Chef::EncryptedDataBagItem.load(data_bag, "ssl_replication")
+certs = Chef::EncryptedDataBagItem.load(
+  data_bag,
+  node["percona"]["encrypted_data_bag_item_sslrep"]
+)
 
 # place the CA certificate, it should be present on both master and slave
 file "#{certs_path}/cacert.pem" do