add documented decrypt script

2025-01-29 17:24:28 +01:00 · 2025-01-29 17:24:28 +01:00 · b6904e4ed2
commit b6904e4ed2
parent 118baa38f8
2 changed files with 23 additions and 0 deletions
--- a/2
+++ b/2
@ -6,6 +6,8 @@ RUN apk add --no-cache kubectl gpg gpg-agent bash && \
    addgroup $USER && \
    adduser -G $USER -D $USER

+COPY decrypt-secrets.sh /usr/local/bin/
+
 USER $USER
 WORKDIR /home/$USER

--- a/decrypt-secrets.sh
+++ b/decrypt-secrets.sh
@ -0,0 +1,21 @@
+#!/bin/bash
+
+#
+# Set the environment variable GPG_PASSPHRASE
+# Pipe the encrypted data and 
+#   - redirect the output into the destination file or
+#   - directly eval the output, in this case make sure ONLY variable definitions are in the file
+#
+# The second option would be
+#   eval "`cat secrets.asc | ./decrypt-secrets.sh`"
+#
+# To create the encrypted file use
+#   gpg --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
+# where secrets.txt is the cleartext file and secrets.asc will be the encrypted file.
+# Make sure to use a good passphrase, make sure to store the passphrase safely.
+#
+# Adding the encrypted file secrets.asc to a source code repository is secure.
+#
+
+
+gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output -