Wolfgang Hottgenroth
f0c2e5e551
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
1.3 KiB
1.3 KiB
# Secrets in Repos
Storing secrets in cleartext in a repo is forbidden, obviously.
I use this approach to store secrets in ciphertext in a repo.
The secrets shall be in a file, for instance secrets.txt. To encrypt this file I use
gpg --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
The passphrase for the encryption must be entered on the prompt from gpg.
To decrypt the file, in a CI script I use
gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output secrets.txt secrets.asc
The passphrase must be set in the environment variable GPG_PASSPHRASE.
To decrypt interactively the commandline
gpg --decrypt --output secrets.txt secrets.asc
can be used.
Make sure to store the passphrase safely and securely in a password manager or so, otherwise you can not get to your data any longer or everyone can do so.
Remark Sometimes, gpg tries to ask for the passphrase via the configured pinentry app, which sometimes fails. In those cases add
--pinentry-mode loopback
to the commandline:
gpg --pinentry-mode=loopback --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
gpg --pinentry-mode=loopback --decrypt --output secrets.txt secrets.asc