Shell-secrets – GPG-encrypted environment variables (opens in new tab)

(github.com)

93 pointsmgarciaisaia11mo ago42 comments

42 comments

Unless you're good at actually maintaining your gpg keychain and need other people to access this, I really wouldn't bother with gpg. There are way better and simpler options.

Age has a simpler interface and SSH key support https://github.com/FiloSottile/age

ejson2env has the environment variable integration and ejson has multiple backends https://github.com/Shopify/ejson2env

direnv can support any cli secrets manager per project directory https://direnv.net/

I've dealt with enough "why did this break" situations with gpg secrets files used by capable teams that I'd never recommend that to anyone. And unless you really need the public key support (teams and deployment support), you're unlikely to gain anything better over a password manager.

upofadown11mo ago

Age doesn't even have a keychain. You are expected to maintain your keys manually. So yeah, you will never have a problem with the age keychain. In the same way you will never get into trouble with the law in an anarchy. Not everyone wants to have to deal with all the details themselves.

akoboldfrying11mo ago

age looks really interesting, thanks. I also learned from that page that appending ".keys" to your GitHub profile URL (so https://github.com/yourusername.keys) returns a list of your SSH public keys! (Where is this documented...?)

tomjakubowski11mo ago

Another trick with github urls: you can append .patch or .diff to any PR or commit URL, and you'll get back a git-formatted patch or diff.

https://github.com/rust-lang/rust/pull/139966

https://github.com/rust-lang/rust/pull/139966.patch

https://github.com/rust-lang/rust/pull/139966.diff

mgarciaisaiaOP11mo ago

Oh - so age would be a gpg replacement, and not a shell-secrets replacement. I guess it could work, but also I haven't had any issues with GPG yet (in my ~4 years regularly using shell-secrets).

ejson2env sounds nice. Don't like the syntax of `eval $(...)`, but it does THE thing that most don't - it encrypts the secrets at rest!

Also, I have multiple logins for some services (company account vs company's client account), so separating concerns is cool. And having the "context" name in the PS1 helps avoid issuing the wrong command on the wrong account - you can even add emojis to the name for maximum discernability.

theteapot11mo ago

The tool is just pulling one encryption key from your local GPG keyring. What's to maintain?

viraptor11mo ago

What happens when you have multiple matching keys? What happens when your key expires? What happens when the output format changes? What happens when the key expires and it's attached to a hardware device? Gpg can fail in ways which do not tell you anything about the real underlying issue.

I promise this happens all the time to people for lots of stupid reasons.

1 more reply

woodruffw11mo ago

The more general version of this is probably sops[1].

(A general problem with these kinds of “wrap GPG” tools is that you end up with “mystery meat” encryption/signatures: your tool’s security margin is at the mercy of GPG’s opaque and historically not very good defaults.)

[1]: https://github.com/getsops/sops

theteapot11mo ago

This is 13 lines of Bash plus GPG which is available ~everywhere and a pretty lowish level Linux dependency. SOPS is +20KLOC of Go with support for cloud KMS etc etc. I think you got your mystery meat analogy backwards.

woodruffw11mo ago

The mystery meat in question is GPG, not sops or this.

(I also wouldn’t call GPG a low level dependency.)

1 more reply

aborsy11mo ago

GPG man page is long. But to be fair, GPG, which I have used for decades, has never failed me.

mgarciaisaiaOP11mo ago

I didn't know about sops, thanks for sharing!

Encrypting YAML files' values may be handy for another project - will take note of it.

ykonstant11mo ago

Since GPG and openssh support the TPM for some operations, I am tempted to store secrets in the TPM instead; I think a hardware safe is better than messing with persistent envars and having to pay attention to children etc.

But I am very nervous about doing so, since I have heard bad things about the reliability of the TPM (limited writes or something?) and locking myself out of important places. Any people with experience using the TPM for secrets in Linux?

hnlmorg11mo ago

Coincidentally I’ve written something similar to this too.

My main takeaway was that GPG isn’t nearly as user friendly as it needs to be.

mmh000011mo ago

Highly true. Yet. If you complain or even offer patches (which will, always, without fail, be rejected).

You'll get told off by the GPG devs with something along the lines of "encryption is supposed to be hard".

upofadown11mo ago

I have been following the GnuPG mailing list for some years now. I must of missed that. Could we have some references to where someone has been told something to the effect of "encryption is supposed to be hard".

9dev11mo ago

How hard would it be to devise an easy to use wrapper on top of GPG, kind of porcelain-like?

4 more replies

Valodim11mo ago

The correct way to do stuff like this these days with openpgp is to use a SOP (stateless openpgp) implementation. https://www.openpgp.org/about/sop/

bitbasher11mo ago

Couldn't you just use pass and have something like this in your bash script/env:

export SOME_SECRET="$(pass show some/secret)"

Piraty11mo ago

this in a credentials file to source before doing some operation? sure. I usually do: ` ( . ./credentials && ./the_thing ) ` so the secrets are only in the subshell and don't linger in my shell session forever.

but don't put that in <shell>rc , as it a) will be visible for all other (child) processes of your shell b) will spawn pinentry everytime the agent's cache ttl expires

varenc11mo ago

That hides it in the source, but doesn't hide it in the execution environment that can access the ENV. Everything you run inside your shell could still read it. (but if you're running untrusted things...you've already lost)

vcdimension11mo ago

I've forked the repo and created a zsh version: https://github.com/vapniks/shell-secrets

asveikau11mo ago

I do something like this in my .muttrc. It was showing up in documentation iirc, as the typical way to store credentials for mutt.

ognarb11mo ago

I like the idea. GPG encryption are super helful when sharing secrets.

Disclaimer: I work on some UI for GPG as my day job.

pluto_modadic11mo ago

for a newer password manager... https://github.com/FiloSottile/passage

qyckudnefDi511mo ago

Looks like FiloSottile may have switched from passage to 1Password:

https://bsky.app/profile/filippo.abyssdomain.expert/post/3l5...

Would be interesting to get more context why move from storing passwords locally to an online service.

FiloSottile11mo ago

Team sharing with a non-technical person, mostly.

I still have high-value passwords and CLI credentials in passage + age-plugin-yubikey.

dvektor11mo ago

I store my secrets in gpg encrypted files and inject them into my environment in my shell rc file.

AWS_SECRET_ACCESS_KEY=$(gpg -d ~/.secrets/aws/key.asc)

type of deal. its annoying to put in a password every time i open a new tmux pane but hey, better than plain text.

mgarciaisaiaOP11mo ago

That was what I did before knowing about shell-secrets. But I also need different "contexts" on the same domains/tools (different AWS accounts and credentials for different clients), and having none "set" by default prevents me from running _whatever command_ by mistake the majority of the time.

viraptor11mo ago

If you're using more complicated systems than just a single root account, have a look at https://github.com/99designs/aws-vault too.

j / k navigate · click thread line to collapse

42 comments

viraptor11mo ago

Unless you're good at actually maintaining your gpg keychain and need other people to access this, I really wouldn't bother with gpg. There are way better and simpler options.

Age has a simpler interface and SSH key support https://github.com/FiloSottile/age

ejson2env has the environment variable integration and ejson has multiple backends https://github.com/Shopify/ejson2env

direnv can support any cli secrets manager per project directory https://direnv.net/

upofadown11mo ago

akoboldfrying11mo ago

tomjakubowski11mo ago

Another trick with github urls: you can append .patch or .diff to any PR or commit URL, and you'll get back a git-formatted patch or diff.

https://github.com/rust-lang/rust/pull/139966

https://github.com/rust-lang/rust/pull/139966.patch

https://github.com/rust-lang/rust/pull/139966.diff

mgarciaisaiaOP11mo ago

Oh - so age would be a gpg replacement, and not a shell-secrets replacement. I guess it could work, but also I haven't had any issues with GPG yet (in my ~4 years regularly using shell-secrets).

ejson2env sounds nice. Don't like the syntax of `eval $(...)`, but it does THE thing that most don't - it encrypts the secrets at rest!

theteapot11mo ago

The tool is just pulling one encryption key from your local GPG keyring. What's to maintain?

viraptor11mo ago

I promise this happens all the time to people for lots of stupid reasons.

1 more reply

woodruffw11mo ago

The more general version of this is probably sops[1].

[1]: https://github.com/getsops/sops

theteapot11mo ago

woodruffw11mo ago

The mystery meat in question is GPG, not sops or this.

(I also wouldn’t call GPG a low level dependency.)

1 more reply

aborsy11mo ago

GPG man page is long. But to be fair, GPG, which I have used for decades, has never failed me.

mgarciaisaiaOP11mo ago

I didn't know about sops, thanks for sharing!

Encrypting YAML files' values may be handy for another project - will take note of it.

ykonstant11mo ago

hnlmorg11mo ago

Coincidentally I’ve written something similar to this too.

My main takeaway was that GPG isn’t nearly as user friendly as it needs to be.

mmh000011mo ago

Highly true. Yet. If you complain or even offer patches (which will, always, without fail, be rejected).

You'll get told off by the GPG devs with something along the lines of "encryption is supposed to be hard".

upofadown11mo ago

9dev11mo ago

How hard would it be to devise an easy to use wrapper on top of GPG, kind of porcelain-like?

4 more replies

Valodim11mo ago

The correct way to do stuff like this these days with openpgp is to use a SOP (stateless openpgp) implementation. https://www.openpgp.org/about/sop/

bitbasher11mo ago

Couldn't you just use pass and have something like this in your bash script/env:

export SOME_SECRET="$(pass show some/secret)"

Piraty11mo ago

but don't put that in <shell>rc , as it a) will be visible for all other (child) processes of your shell b) will spawn pinentry everytime the agent's cache ttl expires

varenc11mo ago

vcdimension11mo ago

I've forked the repo and created a zsh version: https://github.com/vapniks/shell-secrets

asveikau11mo ago

I do something like this in my .muttrc. It was showing up in documentation iirc, as the typical way to store credentials for mutt.

ognarb11mo ago

I like the idea. GPG encryption are super helful when sharing secrets.

Disclaimer: I work on some UI for GPG as my day job.

pluto_modadic11mo ago

for a newer password manager... https://github.com/FiloSottile/passage

qyckudnefDi511mo ago

Looks like FiloSottile may have switched from passage to 1Password:

https://bsky.app/profile/filippo.abyssdomain.expert/post/3l5...

Would be interesting to get more context why move from storing passwords locally to an online service.

FiloSottile11mo ago

Team sharing with a non-technical person, mostly.

I still have high-value passwords and CLI credentials in passage + age-plugin-yubikey.

dvektor11mo ago

I store my secrets in gpg encrypted files and inject them into my environment in my shell rc file.

AWS_SECRET_ACCESS_KEY=$(gpg -d ~/.secrets/aws/key.asc)

type of deal. its annoying to put in a password every time i open a new tmux pane but hey, better than plain text.

mgarciaisaiaOP11mo ago

viraptor11mo ago

If you're using more complicated systems than just a single root account, have a look at https://github.com/99designs/aws-vault too.

j / k navigate · click thread line to collapse