[leipert]

How do people here handle secrets like e.g. passwords / env variables / ssh keys in their dotfiles?

I've written simple encrypt/decrypt with PGP, but since I've kinda lost trust into Keybase I have no simple way to bootstrap PGP.

[base698]

Pass: https://wiki.archlinux.org/title/Pass

Emacs uses .authinfo transparently: https://www.reddit.com/r/emacs/comments/7jhcq8/authinfogpg/

[spudlyo]

Emacs' auth-source.el can work directly with the macOS keychain, which if you're on a Mac is pretty useful.

[twp]

https://www.chezmoi.io/ supports:

* Keeping secrets in your password manager (all major password managers are supported), see https://www.chezmoi.io/user-guide/password-managers/.

* Encrypting entire files with gpg or age, see https://www.chezmoi.io/user-guide/encryption/.

You can also bootstrap your gpg/age private key on a new machine with a passphrase, see https://www.chezmoi.io/user-guide/frequently-asked-questions....

[nirvdrum]

I use git-crypt with VCSH for dotfiles and Ansible for provisioning, using Ansible's built-in encryption for some data. It works pretty well, but to make things less annoying, I prompt for decrypt passwords up front and if typo it, you won't know until much later when bringing a machine up from scratch.

[nverno]

I do the same, just copy .gnupg folder over via ssh / usb / yubikey.