Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How can we manage secrets in public? #270

Open
sanchezcarlosjr opened this issue Apr 8, 2024 · 2 comments
Open

How can we manage secrets in public? #270

sanchezcarlosjr opened this issue Apr 8, 2024 · 2 comments

Comments

@sanchezcarlosjr
Copy link

sanchezcarlosjr commented Apr 8, 2024

I'm wondering how others publish their dotfiles when they might have secrets such as API keys, tokens, and so on. I'm employing CryFS, saving the encrypted data inside my repository, and mounting the secrets when I need them.

@OsirisFrik
Copy link

Hi @sanchezcarlosjr

this is how I do

in .dotfiles/restoring_scripts I add this flow

#!/bin/bash
source "$DOTFILES_PATH/shell/exports.sh" # here are a $LOCAL_EXPORTS and $LOCAL_ALIASES declarations
source "$DOTFILES_PATH/shell/aliases.sh"
source "$DOTFILES_PATH/shell/functions.sh"

# this exports look like `export LOCAL_EXPORTS="$HOME/.local_exports"`
FILES=(
  $LOCAL_EXPORTS
  $LOCAL_ALIASES
)

for FILE in ${FILES[@]}; do
  if [ -f "$FILE" ]; then
    echo "file: \"$FILE\" already exists"
  else
    touch $FILE
    echo "file: \"$FILE\" maked"

    if [[ "$FILE" == "$LOCAL_EXPORTS" ]]; then
      echo '#!/bin/bash\n# LOCAL EXPORTS DECLARATION\n' >> "$FILE"
    elif [[ "$FILE" == "$LOCAL_ALIASES" ]]; then
      echo '#!/bin/bash\n# LOCAL ALIASES DECLARATION\n' >> "$FILE"
    fi
  fi
done

now you can add your secrets on `

then I can add source import on .dotfiles/bash/exports.sh or .dotfiles/bash/init.sh

source "$LOCAL_EXPORTS"

this way allows me to keep secrets stored in my local and prevent to push on the repo

@sanchezcarlosjr
Copy link
Author

sanchezcarlosjr commented Jul 10, 2024

@OsirisFrik thank you for sharing your approach. I did something similar with my dotfiles: https://github.com/sanchezcarlosjr/dotfiles. However, I prefer to save tokens on GitHub rather than hide the files. The purpose of dotfiles is to track configuration, and since secrets are a kind of configuration, I decided to save them in the cloud.

On the other hand, we can't entirely trust cloud providers, and secrets should not be public. Therefore, I created a private repository with encrypted files by CryFS. My dotfiles refer to an unencrypted location on my filesystem, which I mount when needed. Otherwise, the files remain encrypted, thanks to KDE's vault feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants