minimal-setups/content/snippets/0290-secrets-in-repos.md

Secrets in Repos

Storing secrets in cleartext in a repo is forbidden, obviously.

I use this approach to store secrets in ciphertext in a repo.

The secrets shall be in a file, for instance secrets.txt. To encrypt this file I use

gpg --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt

The passphrase for the encryption must be entered on the prompt from gpg.

To decrypt the file, in a CI script I use

gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output secrets.txt secrets.asc

The passphrase must be set in the environment variable GPG_PASSPHRASE.

To decrypt interactively the commandline

gpg --decrypt --output secrets.txt secrets.asc

can be used.

Make sure to store the passphrase safely and securely in a password manager or so, otherwise you can not get to your data any longer or everyone can do so.

Remark: Problems with passphrase input

Sometimes, gpg tries to ask for the passphrase via the configured pinentry app, which sometimes fails. In those cases add

--pinentry-mode loopback

to the commandline:

gpg --pinentry-mode=loopback --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt

gpg --pinentry-mode=loopback --decrypt --output secrets.txt secrets.asc