Skip to content
/ gpgenv Public

Securely store and pass secrets as environment variables to other applications using GPG!

3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

notfromstatefarm/gpgenv

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.github/workflows
.github/workflows
 
 
docs
docs
 
 
internal
internal
 
 
.gitignore
.gitignore
 
 
.goreleaser.yaml
.goreleaser.yaml
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

gpgenv

Securely store and pass secrets as environment variables to other applications!

Purpose

It's extremely common for CLI applications to consume secrets via environment variables. Many people will add these environment variables to their bash profile for convenience.

However, this means two things:

  1. Your secrets are passed to every application you run from your terminal
  2. Your secrets are accessible on the disk to any software you run

You could store it as a separate script to source when needed, but that still leaves your secrets on your hard drive.

gpgenv aims to solve this by acting as a wrapper around applications that injects your secrets as environment variables from a GPG-encrypted store.

gpgenv is best combined with an OpenPGP smartcard like a YubiKey 5. When touch is required for GPG, it makes it extremely difficult for malicious software to silently intercept your secrets. We've written a guide on how to set up a YubiKey here.

Installation & Dependencies

You can download the binary from the GitHub releases page, or install via Homebrew.

brew tap notfromstatefarm/gpgenv
brew install gpgenv

You will also need to install gpg itself if you have not already.

Usage

Configuration

Configuration of gpgenv is performed with gpgenv edit. This will decrypt the store and open it in an editor.

Sets of environment variables are called contexts.

Example:

contexts:
  terraform:
    CLOUDFLARE_API_KEY: supersecret
    CLOUDFLARE_API_TOKEN: loremipsum
    SUMOLOGIC_ACCESSID: alsoasecret
    SUMOLOGIC_ACCESSKEY: beepboop
  anothercontext:
    ANOTHER_VAR: sosecret
    SECRET: VALUE
  athirdcontext:
    HELLO: WORLD
    LOREM: IPSUM
  
key-email: 86763948 [email protected]

key-email should be the email of the GPG key you wish to encrypt and decrypt with.

If you'd like to change the editor from vim, pass the EDITOR environment variable with the editor you wish to use i.e. EDITOR=nano gpgenv edit.

Running commands

Simply prepend the command you wish to run with gpgenv context-name. For example, to run terraform plan with the tf context, run:

gpgenv tf terraform plan

Aliasing

If you'd like to avoid executing the gpgenv command directly, you can set up an alias function in your bash profile.

For example, if you'd like to alias terraform to always use the tf context, add the following to your bash profile:

terraform() { gpgenv tf terraform "$@" }

About

Securely store and pass secrets as environment variables to other applications using GPG!

Resources

Readme
Activity

Stars

3 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 2

v1.0.1 Latest
Jun 19, 2022
1 release

Languages