Using GPG for symmetric file encoding and decoding
Motivation
I have a project on github and I want to add a simple Makefile
for
deployment. But I want to be sure that nobody will see its contents
because I don't want to expose irrelevant details of how do I host
it. On the other hand I want this file to be there, because I want to
be able to deploy from different machines.
Solution (encryption)
The solution is simple: I'm going to encrypt Makefile
with gpg,
put original file into .gitignore
and that's it.
So, first let's encrypt the file with a symmetric key:
gpg --armor -c Makefile
The command above will create a Makefile.asc
file. I prefer having a
plain-text file instead of binary thus I --armor
it. And to use
passphrase based symmetric encryption I'm using -c
(or
--symmetric
).
Now I can put original Makefile
to .gitignore
:
echo '/Makefile' >> .gitignore
Decryption
How do I use it on a new machine? Simple:
gpg --output Makefile -d Makefile.asc
That's it, now I have an ignored Makefile
which I can use for deployment via make
.
In case you have pinentry
related errors you may fix those by
changing gpg-agent config:
# consult your distro docs for a proper solution
echo pinentry-program /usr/bin/pinentry-curses > ~/.gnupg/gpg-agent.conf
systemct --user restart gpg-agent
Limitations
Obviously one have to remember to do the procedure every time
Makefile
is changed. Though it's not a big issue in my simple case
as I don't change it that often.