Where are your database passwords? your cookie encryption keys? your SSL certificates?
The most common answers are “in git” and “in Dropbox”. Hopefully with a guilty squirm and followed by an awkward “it’s on my todo list”…
Storing production secrets on cloud services in plain text is very tempting but it’s obviously insecure. We’ve seen hacks via API keys in git, we’ve seen Dropbox passwords leak.
Luckily, help is at hand!
dotgpg is an easy to use tool that
lets you read and write encrypted files in your favourite text editor. It
maintains an access list so that each file can be decrypted by everyone on your
team, but no one else.
As encrypted files are still “just files” you can store them in git or Dropbox so that they’re easy to share. Obviously if you’re really paranoid a USB stick in a locked drawer might be safer, until your co-workers gang up on you…
Under the hood
dotgpg is using the battle-tested GnuPG
library. So unless someone gets access to your laptop and you chose a weak
passphrase it’s highly unlikely anyone malicious can decrypt them.
What can I store in dotgpg?
Dotgpg was designed for storing production secrets. Things like API keys or
database passwords that your app needs to run. At Bugsnag
we use dotenv in production, and store the
master copy of our
.env file inside
dotgpg. We then check this
directory into git, so we can go back and see old versions if someone makes a
At Rapportive we used
dotgpg’s ancestor to share passwords for things like
Pingdom for which we all logged into the same account. We put the encrypted
files in Dropbox so that changes propogated automatically to everyone.
At LinkedIn the second version of the system was used to encrypt the SSL certificates that my team needed. We then stored the encrypted files on USB sticks locked in a drawer, just to be sure.
I also use it for encrypting the secrets in my personal backups. At the moment that includes ssh keys, gem signing certificates and emergency two-factor-auth codes. (My passwords are now in a system with a browser extension, but I used to use gpg for those as well).
How easy is it really?
While GPG is amazing at encrypting stuff, the user-interface leaves a lot to be
dotgpg I’ve removed as many options and operations as possible,
and boiled it down to two every-day commands.
dotgpg catdecrypts a file and pipes it to standard out.
dotgpg editopens a file in your
$EDITORand re-encrypts it when you’re done.
To get started is even simpler, just run
dotgpg init to create a new
directory and then
dotgpg edit to create files within it.
Adding collaborators is also pretty quick. They run
dotgpg key on their
computer and then send the key to you (by Dropbox, email, whatever suits). You
dotgpg add on your computer to add them to the access list.
How secure is it?
Secure enough for me. If you still have your Rails
or SSL certificates in cloud services unencrypted, then it’s more than secure
enough for you too. The easiest way to get more secure than
dotgpg is to
store everything on a USB stick offline, but this is too inconvenient for many
dotgpg is only designed to add an extra layer of protection if
someone gets into your git or Dropbox. If an attacker gets access to your
laptop you should probably assume that they will guess your password and
decrypt your files.
For more information see the security section of the README. If you have concerns, please email me.
Full instructions, including use without ruby, are available on the README. But if you want to dive straight in, just
Please file an issue if you have difficulties, and feel free to get in touch if you need a hand!