Last active
October 22, 2023 12:06
-
-
Save pepasflo/1e66183882fbc7cf97a79256760478ad to your computer and use it in GitHub Desktop.
Scripts for encrypting / decrypting secrets (to prevent them from being accidentally checked into git)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| secrets/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -eu -o pipefail | |
| if ! which gpg &> /dev/null | |
| then | |
| echo "Error: gpg not installed." >&2 | |
| echo "Please 'brew install gpg'" >&2 | |
| exit 2 | |
| fi | |
| if [ -n "${SECRETS_PASSWORD}" ] | |
| then | |
| gpg \ | |
| --quiet \ | |
| --cipher-algo AES256 \ | |
| --batch \ | |
| --passphrase "${SECRETS_PASSWORD}" \ | |
| secrets.tar.gz.gpg | |
| else | |
| gpg \ | |
| --quiet \ | |
| --cipher-algo AES256 \ | |
| secrets.tar.gz.gpg | |
| fi | |
| rm -rf secrets | |
| cat secrets.tar.gz | gunzip | tar x | |
| rm -f secrets.tar.gz |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -e -o pipefail | |
| if ! which gpg &> /dev/null | |
| then | |
| echo "Error: gpg not installed." >&2 | |
| echo "Please 'brew install gpg'" >&2 | |
| exit 2 | |
| fi | |
| if [ ! -d secrets ] | |
| then | |
| echo "No secrets directory found. Did you invoke as scripts/encrypt-secrets.sh?" 1>&2 | |
| exit 1 | |
| fi | |
| tar c secrets | gzip > secrets.tar.gz | |
| rm -f secrets.tar.gz.gpg | |
| if [ -n "${SECRETS_PASSWORD}" ] | |
| then | |
| gpg \ | |
| --quiet \ | |
| --cipher-algo AES256 \ | |
| --batch \ | |
| --passphrase "${SECRETS_PASSWORD}" \ | |
| --symmetric secrets.tar.gz | |
| else | |
| gpg \ | |
| --quiet \ | |
| --cipher-algo AES256 \ | |
| --symmetric secrets.tar.gz | |
| fi | |
| rm -f secrets.tar.gz |
@acecilia I would add the entry to .gitignore first.
Twitter discussion when this was originally posted: https://twitter.com/cellularmitosis/status/1055152885158289410
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
So, you check in source control the encrypted secrets, and after that add the secrets folder to gitignore?