# Secrets in Repos Storing secrets in cleartext in a repo is forbidden, obviously. I use this approach to store secrets in ciphertext in a repo. The secrets shall be in a file, for instance `secrets.txt`. To encrypt this file I use ``` gpg --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt ``` The passphrase for the encryption must be entered on the prompt from gpg. To decrypt the file, in a CI script I use ``` gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output secrets.txt secrets.asc ``` The passphrase must be set in the environment variable `GPG_PASSPHRASE`. To decrypt interactively the commandline ``` gpg --decrypt --output secrets.txt secrets.asc ``` can be used. Make sure to store the passphrase safely and securely in a password manager or so, otherwise you can not get to your data any longer or everyone can do so. ## Remark: Problems with passphrase input Sometimes, gpg tries to ask for the passphrase via the configured pinentry app, which sometimes fails. In those cases add ``` --pinentry-mode loopback ``` to the commandline: ``` gpg --pinentry-mode=loopback --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt gpg --pinentry-mode=loopback --decrypt --output secrets.txt secrets.asc ```