wn/minimal-setups
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

secrets in repos
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source
This commit is contained in:
Wolfgang Hottgenroth
2025-05-22 16:55:30 +02:00
parent 6bd6f7d7e9
commit d20cfb5086
1 changed files with 37 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
content/snippets/0290-secrets-in-repos.md Normal file
View File

@ -0,0 +1,37 @@
<!--
title: Secrets in Repos
date: 2025-05-22
-->
# # Secrets in Repos
Storing secrets in cleartext in a repo is forbidden, obviously.
I use this approach to store secrets in ciphertext in a repo.
The secrets shall be in a file, for instance `secrets.txt`. To encrypt this file I use
```
gpg --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
```
The passphrase for the encryption must be entered on the prompt from gpg.
To decrypt the file, in a CI script I use
```
gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output secrets.txt secrets.asc
```
The passphrase must be set in the environment variable `GPG_PASSPHRASE`.
To decrypt interactively the commandline
```
gpg --decrypt --output secrets.txt secrets.asc
```
can be used.
Make sure to store the passphrase safely and securely in a password manager or so, otherwise you can not get to your data any longer or everyone can do so.