I have a project on github and I want to add a simple Makefile for deployment. But I want to be sure that nobody will see its contents because I don't want to expose irrelevant details of how do I host it. On the other hand I want this file to be there, because I want to be able to deploy from different machines.

Solution (encryption)

The solution is simple: I'm going to encrypt Makefile with gpg, put original file into .gitignore and that's it.

So, first let's encrypt the file with a symmetric key:

gpg --armor -c Makefile

The command above will create a Makefile.asc file. I prefer having a plain-text file instead of binary thus I --armor it. And to use passphrase based symmetric encryption I'm using -c (or --symmetric).

Now I can put original Makefile to .gitignore:

echo '/Makefile' >> .gitignore


How do I use it on a new machine? Simple:

gpg --output Makefile -d Makefile.asc

That's it, now I have an ignored Makefile which I can use for deployment via make.

In case you have pinentry related errors you may fix those by changing gpg-agent config:

# consult your distro docs for a proper solution
echo pinentry-program /usr/bin/pinentry-curses > ~/.gnupg/gpg-agent.conf
systemct --user restart gpg-agent


Obviously one have to remember to do the procedure every time Makefile is changed. Though it's not a big issue in my simple case as I don't change it that often.