From d20cfb5086bb3acbd2696c7df5c91e5632475864 Mon Sep 17 00:00:00 2001
From: Wolfgang Hottgenroth <wolfgang.hottgenroth@icloud.com>
Date: Thu, 22 May 2025 16:55:30 +0200
Subject: [PATCH] secrets in repos

---
 content/snippets/0290-secrets-in-repos.md | 37 +++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 content/snippets/0290-secrets-in-repos.md

diff --git a/content/snippets/0290-secrets-in-repos.md b/content/snippets/0290-secrets-in-repos.md
new file mode 100644
index 0000000..643b771
--- /dev/null
+++ b/content/snippets/0290-secrets-in-repos.md
@@ -0,0 +1,37 @@
+<!--
+title: Secrets in Repos
+date: 2025-05-22
+-->
+
+# # Secrets in Repos
+
+Storing secrets in cleartext in a repo is forbidden, obviously.
+
+I use this approach to store secrets in ciphertext in a repo.
+
+The secrets shall be in a file, for instance `secrets.txt`. To encrypt this file I use
+
+```
+gpg --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
+```
+
+The passphrase for the encryption must be entered on the prompt from gpg.
+
+To decrypt the file, in a CI script I use
+
+```
+gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output secrets.txt secrets.asc
+```
+
+The passphrase must be set in the environment variable `GPG_PASSPHRASE`.
+
+To decrypt interactively the commandline
+
+```
+gpg --decrypt --output secrets.txt secrets.asc
+```
+
+can be used.
+
+Make sure to store the passphrase safely and securely in a password manager or so, otherwise you can not get to your data any longer or everyone can do so.
+