Wolfgang Hottgenroth
d20cfb5086
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
958 B
958 B
# Secrets in Repos
Storing secrets in cleartext in a repo is forbidden, obviously.
I use this approach to store secrets in ciphertext in a repo.
The secrets shall be in a file, for instance secrets.txt. To encrypt this file I use
gpg --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
The passphrase for the encryption must be entered on the prompt from gpg.
To decrypt the file, in a CI script I use
gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output secrets.txt secrets.asc
The passphrase must be set in the environment variable GPG_PASSPHRASE.
To decrypt interactively the commandline
gpg --decrypt --output secrets.txt secrets.asc
can be used.
Make sure to store the passphrase safely and securely in a password manager or so, otherwise you can not get to your data any longer or everyone can do so.