gpg-shell
is a zsh shell script to manage environment variables with GnuPG asymmetric encryption. It is designed and recommended to be used with Yubikey as the secret key storage.
# dotfiles/install.sh
# 1. Clone this repository with your dotfiles
git submodule add https://github.com/menduz/gpg-shell
# 2. Link executable or add the folder to your PATH in your .zshrc
ln -sf "$(pwd)/gpg-shell/gpg-shell" "/usr/local/bin/gpg-shell"
# or
echo "export PATH=\"$(pwd)/gpg-shell:\$PATH\"" >> "$HOME/.zshrc"
# 3. Configure the folder to store your encrypted environments
# (I do it as a subfolder "encrypted-shells" in my dotfiles)
mkdir -p "$(pwd)/encrypted-shells"
ln -sf "$(pwd)/encrypted-shells" "$HOME/.gpg-shell-db"
# 4. Configure the recipient and backup GPG keys (interactive process)
gpg-shell setup-keygroup
First you must configure the allowed keys to decrypt the environment files: gpg-shell setup-keygroup
always include yourself. It is a good idea to have a backup key, in case you lose your current GPG key.
The recipient list is not stored in the encrypted file (--throw-keyids
).
The recipient list is stored as a gpg group named gpg_shell_keygroup
in the file $HOME/.gnupg/gpg.conf
. (I also link this file to my dotfiles).
It is important to set the trust of all your recipient keys, otherwise you won't be able to encrypt anything for them.
gpg-shell my-encrypted-env
# opens an interactive zsh with all the environment variables of my-encrypted-env
gpg-shell my-encrypted-env -- 'echo $MY_SECRET && exit 3'
# an interactive zsh is open running the provided command, then exits with code 3
- Create a environment configuration "work-dev" using
gpg-shell create work-dev
vim
will open, in that configuration you may add environment variables likeSave and quit, your encrypted shell is ready to be started.export MY_SECRET="asd123-work-dev"
- To access your new environment type
gpg-shell work-dev
, touching your YubiKey may be required to decrypt the environment. You can test it works by executing the commandecho "$MY_SECRET" # should print 'asd123-work-dev'