As mentioned in a previous post, I keep most of my configuration files and scripts in a git repository. Files that must remain secret, like ssh private keys, the .netrc file and the like should never end up there.
I use a few password manager tools, but one of my favorite is pass (can be installed via brew install pass). I like this tool because it’s command-line based, can be backed by a git repository and uses gpg to encrypt the passwords. Additionally, since multi-line passwords are allowed, you can store any file there.
I wrote two scripts to manage my secret files: unlock-secrets and lock-secrets.
The unlock-secrets script does an rsync of the gpg files to a temporary folder, then it runs gpg to decrypt the files and then creates symbolic links to the home directory. The gpg files are then deleted from the temporary directory.
The lock-secrets does the opposite: for each file in the temporary directory, the symbolic link gets deleted, then the files get gpg encrypted and they are copied over to the .password-store directory.
Placing the unencrypted secret files in a temporary directory ensures that when shutting down or restarting the computer they’ll get automatically deleted.
Here’s what the scripts look like:
That’s about it! Whenever I need to use my secrets I just run unlock-secrets . Then my .bash_logout script automatically calls lock-secrets to get any updates back into the password store.
