How can we manage secrets in public? #270
Comments
|
this is how I do in #!/bin/bash
source "$DOTFILES_PATH/shell/exports.sh" # here are a $LOCAL_EXPORTS and $LOCAL_ALIASES declarations
source "$DOTFILES_PATH/shell/aliases.sh"
source "$DOTFILES_PATH/shell/functions.sh"
# this exports look like `export LOCAL_EXPORTS="$HOME/.local_exports"`
FILES=(
$LOCAL_EXPORTS
$LOCAL_ALIASES
)
for FILE in ${FILES[@]}; do
if [ -f "$FILE" ]; then
echo "file: \"$FILE\" already exists"
else
touch $FILE
echo "file: \"$FILE\" maked"
if [[ "$FILE" == "$LOCAL_EXPORTS" ]]; then
echo '#!/bin/bash\n# LOCAL EXPORTS DECLARATION\n' >> "$FILE"
elif [[ "$FILE" == "$LOCAL_ALIASES" ]]; then
echo '#!/bin/bash\n# LOCAL ALIASES DECLARATION\n' >> "$FILE"
fi
fi
donenow you can add your secrets on ` then I can add source import on source "$LOCAL_EXPORTS"this way allows me to keep secrets stored in my local and prevent to push on the repo |
|
@OsirisFrik thank you for sharing your approach. I did something similar with my dotfiles: https://github.com/sanchezcarlosjr/dotfiles. However, I prefer to save tokens on GitHub rather than hide the files. The purpose of dotfiles is to track configuration, and since secrets are a kind of configuration, I decided to save them in the cloud. On the other hand, we can't entirely trust cloud providers, and secrets should not be public. Therefore, I created a private repository with encrypted files by CryFS. My dotfiles refer to an unencrypted location on my filesystem, which I mount when needed. Otherwise, the files remain encrypted, thanks to KDE's vault feature. |
I'm wondering how others publish their dotfiles when they might have secrets such as API keys, tokens, and so on. I'm employing CryFS, saving the encrypted data inside my repository, and mounting the secrets when I need them.
The text was updated successfully, but these errors were encountered: