[mystifyingpoi]

> where do you keep secret.txt

Reminds me of using Ansible Vault and preciously encrypting every secret (so we can say that repos doesn't contain any secrets), then just putting ~/.vault_pass in plaintext on every Ansible controller to be taken by anyone with access to the servers.

[alexpotato]

The author of AGE has a great point in the below blog post [0]:

    If you use something like SOPS or just check age secrets into a git repository next to source code, you need an authentication story for the whole repository. Having authentication for the secrets will do nothing if the attacker can change the source code that decrypts and uses them.

    That story can simply be “we trust GitHub” like most projects. Encrypting secrets with age will keep them confidential even if the project is Open Source, and anyone wanting to replace them will have to make a PR even if they can generate a new valid age file.

0 - https://words.filippo.io/age-authentication/