Wolfgang Hottgenroth
252ccc06bb
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
55 lines
1.3 KiB
Markdown
55 lines
1.3 KiB
Markdown
<!--
|
|
title: Secrets in Repos
|
|
date: 2025-05-22
|
|
-->
|
|
|
|
# Secrets in Repos
|
|
|
|
Storing secrets in cleartext in a repo is forbidden, obviously.
|
|
|
|
I use this approach to store secrets in ciphertext in a repo.
|
|
|
|
The secrets shall be in a file, for instance `secrets.txt`. To encrypt this file I use
|
|
|
|
```
|
|
gpg --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
|
|
```
|
|
|
|
The passphrase for the encryption must be entered on the prompt from gpg.
|
|
|
|
To decrypt the file, in a CI script I use
|
|
|
|
```
|
|
gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output secrets.txt secrets.asc
|
|
```
|
|
|
|
The passphrase must be set in the environment variable `GPG_PASSPHRASE`.
|
|
|
|
To decrypt interactively the commandline
|
|
|
|
```
|
|
gpg --decrypt --output secrets.txt secrets.asc
|
|
```
|
|
|
|
can be used.
|
|
|
|
Make sure to store the passphrase safely and securely in a password manager or so, otherwise you can not get to your data any longer or everyone can do so.
|
|
|
|
|
|
## Remark: Problems with passphrase input
|
|
|
|
Sometimes, gpg tries to ask for the passphrase via the configured pinentry app, which sometimes fails. In those cases add
|
|
|
|
```
|
|
--pinentry-mode loopback
|
|
```
|
|
|
|
to the commandline:
|
|
|
|
|
|
```
|
|
gpg --pinentry-mode=loopback --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
|
|
|
|
gpg --pinentry-mode=loopback --decrypt --output secrets.txt secrets.asc
|
|
```
|