[everforward]

Not really, precisely because it’s decentralized. You can’t audit whether a user accessed one of the hidden files, or really even who can access it once you accept the reality of the risk that some team will put a key on S3 or a shared drive or whatever.

It’s fine for things that you want devs to be able to see without the Git host being able to see them, it’s less good at RBAC because there’s no real “identity” component at read-time.

[pcdevils]

You can use Mozilla SOPS instead with IAM roles and KMS instead of gpg. They also shifted to AGE over gpg.

[chrystalkey]

What a soup of acronyms

[lkjdsklf]

It’s the same problem. You don’t have an audit trail. That’s needed in a lot of situations for compliance reasons

[rowanG077]

Why is an audit trail interesting? I would expect its basically useless as anything that can be accessed can be copied. So it doesn't even give info of user x viewed y at some time.