Securely store and pass secrets as environment variables to other applications!
It's extremely common for CLI applications to consume secrets via environment variables. Many people will add these environment variables to their bash profile for convenience.
However, this means two things:
- Your secrets are passed to every application you run from your terminal
- Your secrets are accessible on the disk to any software you run
You could store it as a separate script to source when needed, but that still leaves your secrets on your hard drive.
gpgenv aims to solve this by acting as a wrapper around applications that injects your secrets as environment variables from a GPG-encrypted store.
gpgenv is best combined with an OpenPGP smartcard like a YubiKey 5. When touch is required for GPG, it makes it extremely difficult for malicious software to silently intercept your secrets. We've written a guide on how to set up a YubiKey here.
You can download the binary from the GitHub releases page, or install via Homebrew.
brew tap notfromstatefarm/gpgenv
brew install gpgenv
You will also need to install gpg
itself if you have not already.
Configuration of gpgenv is performed with gpgenv edit
. This will decrypt the store and open it in an editor.
Sets of environment variables are called contexts.
Example:
contexts:
terraform:
CLOUDFLARE_API_KEY: supersecret
CLOUDFLARE_API_TOKEN: loremipsum
SUMOLOGIC_ACCESSID: alsoasecret
SUMOLOGIC_ACCESSKEY: beepboop
anothercontext:
ANOTHER_VAR: sosecret
SECRET: VALUE
athirdcontext:
HELLO: WORLD
LOREM: IPSUM
key-email: 86763948+notfromstatefarm@users.noreply.github.com
key-email
should be the email of the GPG key you wish to encrypt and decrypt with.
If you'd like to change the editor from vim, pass the EDITOR
environment variable with the editor you wish to use i.e. EDITOR=nano gpgenv edit
.
Simply prepend the command you wish to run with gpgenv context-name
. For example, to run terraform plan
with the tf
context, run:
gpgenv tf terraform plan
If you'd like to avoid executing the gpgenv command directly, you can set up an alias function in your bash profile.
For example, if you'd like to alias terraform
to always use the tf
context, add the following to your bash profile:
terraform() { gpgenv tf terraform "$@" }