Handle secrets¶
Using environment variables¶
For example, you can have an .env
file in the directory where your config.yaml
lies:
## Some secrets
pass="verysecurepassword"
If this file contains secrets that should not be tracked by Git,
put it in your .gitignore
.
You can then invoke dotdrop with the help of an alias
# when dotdrop is installed as a submodule
alias dotdrop='eval $(grep -v "^#" ~/dotfiles/.env) ~/dotfiles/dotdrop.sh'
# when dotdrop is installed from package
alias dotdrop='eval $(grep -v "^#" ~/dotfiles/.env) /usr/bin/dotdrop --cfg=~/dotfiles/config.yaml'
The above aliases load all the variables from ~/dotfiles/.env
(while omitting lines starting with #
) before calling dotdrop.
Defined variables can then be used in the config
or for templating dotfiles
For more see the doc on environment variables.
Store encrypted dotfiles using GPG¶
First you need to define the encryption/decryption methods, for example
variables:
keyid: "11223344"
trans_install:
_decrypt: "gpg -q --for-your-eyes-only--no-tty -d {0} > {1}"
trans_update:
_encrypt: "gpg -q -r {{@@ keyid @@}} --armor --no-tty -o {1} -e {0}"
You can then import your dotfile and specify the transformations to apply/associate.
dotdrop import --transw=_encrypt --transr=_decrypt ~/.secret
Now whenever you install/compare your dotfile, the _decrypt
transformation will be executed
to get the clear version of the file.
When updating the _encrypt
transformation will transform the file to store it encrypted.
See transformations.
gpg examples¶
Using GPG keys:
variables:
keyid: "11223344"
trans_install:
_decrypt: "gpg -q --for-your-eyes-only--no-tty -d {0} > {1}"
trans_update:
_encrypt: "gpg -q -r {{@@ keyid @@}} --armor --no-tty -o {1} -e {0}"
Passphrase is stored in an environment variable:
trans_install:
_decrypt: "echo {{@@ env['THE_KEY'] @@}} | gpg -q --batch --yes --for-your-eyes-only --passphrase-fd 0 --no-tty -d {0} > {1}"
trans_update:
_encrypt: "echo {{@@ env['THE_KEY'] @@}} | gpg -q --batch --yes --passphrase-fd 0 --no-tty -o {1} -c {0}"
Passphrase is stored as a variable:
variables:
gpg_password: "some password"
trans_install:
_decrypt: "echo {{@@ gpg_password @@}} | gpg -q --batch --yes --for-your-eyes-only --passphrase-fd 0 --no-tty -d {0} > {1}"
trans_update:
_encrypt: "echo {{@@ gpg_password @@}} | gpg -q --batch --yes --passphrase-fd 0 --no-tty -o {1} -c {0}"
Passphrase is retrieved using a script:
dynvariables:
gpg_password: "./get-password.sh"
trans_install:
_decrypt: "echo {{@@ gpg_password @@}} | gpg -q --batch --yes --for-your-eyes-only --passphrase-fd 0 --no-tty -d {0} > {1}"
trans_update:
_encrypt: "echo {{@@ gpg_password @@}} | gpg -q --batch --yes --passphrase-fd 0 --no-tty -o {1} -c {0}"
Passphrase is stored in a file:
variables:
gpg_password_file: "/tmp/the-password"
dynvariables:
gpg_password: "cat {{@@ gpg_password_file @@}}"
trans_install:
_decrypt: "echo {{@@ gpg_password @@}} | gpg -q --batch --yes --for-your-eyes-only --passphrase-fd 0 --no-tty -d {0} > {1}"
trans_update:
_encrypt: "echo {{@@ gpg_password @@}} | gpg -q --batch --yes --passphrase-fd 0 --no-tty -o {1} -c {0}"
See also transformations.