UNPKG

@sebastienrousseau/dotfiles

Version:

The Trusted Shell Platform — Universal dotfiles managed by Chezmoi. Features Bash & Zsh for macOS, Linux & WSL. Rust modern tooling & enterprise-grade security.

dotfiles.io

sebastienrousseau/dotfiles

282 lines (201 loc) 7.03 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
--- render_with_liquid: false --- {% raw %} # Tutorial: Encrypt a Secret How to store an API key (or any secret) encrypted in the repository using Age and SOPS decrypted automatically on `dot apply`. ## The Threat Model Secrets in plaintext config files are: - Committed to Git history (permanent record) - Visible to every process on the machine - Included in backup archives Secrets encrypted with Age: - Cipher text committed to Git is useless without the private key - Private key (`~/.config/age/keys.txt`) never leaves the user's machine - Per-machine policy: only authorized hosts hold keys for their share of secrets ## Step 1: Generate an Age Key (First Time Only) ```sh age-keygen -o ~/.config/age/keys.txt chmod 600 ~/.config/age/keys.txt ``` The public key is embedded in the file: ```sh cat ~/.config/age/keys.txt # created: 2026-04-16T09:00:00Z # public key: age1qy90l...xyz AGE-SECRET-KEY-1A... ``` Copy the public key you'll reference it when encrypting. ## Step 2: Choose Encryption Method Two approaches are supported: | Method | Best For | Filename | |:---|:---|:---| | **Chezmoi encrypt** | Individual files (API tokens, config snippets) | `dot_config/token.age` | | **SOPS** | YAML/JSON with multiple secrets, selective field encryption | `dot_config/creds.sops.yaml` | ## Step 3A: Chezmoi-Encrypted File Create an unencrypted source file: ```sh mkdir -p ~/tmp echo "sk_live_abc123" > ~/tmp/stripe-key.txt ``` Import it as encrypted: ```sh chezmoi add --encrypt ~/tmp/stripe-key.txt ``` This: 1. Reads `~/tmp/stripe-key.txt` 2. Encrypts with your Age public key 3. Stores encrypted content at `~/.dotfiles/dot_tmp/stripe-key.txt.age` 4. Template reads encrypted content at apply time and decrypts to target Delete the plaintext source: ```sh rm ~/tmp/stripe-key.txt ``` On `dot apply`, chezmoi decrypts and writes to `~/tmp/stripe-key.txt`. If someone lacks the private key, they see only the encrypted `.age` file in Git. ## Step 3B: SOPS-Encrypted YAML SOPS encrypts **values** in YAML/JSON while preserving the structure. Useful when you want: - Multiple secrets in one file - Encryption of only sensitive fields (leaving metadata readable) - Multi-recipient (e.g. the work laptop AND the backup laptop can decrypt) Configure SOPS once: ```yaml # .sops.yaml (at repo root) creation_rules: - path_regex: \.sops\.yaml$ age: age1qy90l...xyz ``` Create a secrets file: ```yaml # dot_config/credentials.sops.yaml database: host: db.prod.example.com user: app password: supersecret api_keys: stripe: sk_live_abc sendgrid: SG.xyz ``` Encrypt it: ```sh sops --encrypt --in-place dot_config/credentials.sops.yaml ``` The file now contains ciphertext blobs where plaintext values were: ```yaml database: host: ENC[AES256_GCM,data:...] user: ENC[AES256_GCM,data:...] password: ENC[AES256_GCM,data:...] api_keys: stripe: ENC[AES256_GCM,data:...] sendgrid: ENC[AES256_GCM,data:...] sops: age: - recipient: age1qy90l...xyz enc: | -----BEGIN AGE ENCRYPTED FILE----- ... ``` To edit the encrypted file: ```sh sops dot_config/credentials.sops.yaml # Opens in $EDITOR with decrypted content; re-encrypts on save ``` ## Step 4: Reference the Secret in a Template Chezmoi has a built-in `decrypt` helper: ```go # dot_bashrc.tmpl export STRIPE_KEY="{{ include "dot_tmp/stripe-key.txt.age" | decrypt | trim }}" ``` For SOPS: ```go # Use the sopsDecrypt template function {{- $creds := dict -}} {{- $creds = sopsDecrypt "dot_config/credentials.sops.yaml" | fromYaml }} export DB_PASSWORD="{{ $creds.database.password }}" ``` ## Step 5: Commit and Verify ```sh cd ~/.dotfiles git add .sops.yaml dot_config/credentials.sops.yaml dot_tmp/stripe-key.txt.age git commit -sS -m "feat(secrets): add stripe and database credentials" git push ``` Verify the commit doesn't leak secrets: ```sh git log -p HEAD~1..HEAD | grep -v ENC | grep -iE 'password|secret|key' || echo "Clean" ``` On the next machine: ```sh dot update # Chezmoi decrypts using that machine's Age key # If decryption fails, the template errors with a clear message ``` ## Step 6: Multi-Recipient (Fleet) To allow multiple hosts to decrypt the same secret, add more recipients: ```yaml # .sops.yaml creation_rules: - path_regex: \.sops\.yaml$ age: >- age1qy90l...xyz, age1z2x33...abc, age1mm0kk...def ``` Re-encrypt the affected files: ```sh sops updatekeys dot_config/credentials.sops.yaml ``` Now any host with one of those three private keys can decrypt. Hosts without any matching key see the encrypted file but cannot read it. ## Step 7: Rotate a Compromised Key ```sh # 1. Generate a new Age key on the affected host age-keygen -o ~/.config/age/keys.txt.new mv ~/.config/age/keys.txt.new ~/.config/age/keys.txt # 2. Update .sops.yaml with the new public key # 3. Re-encrypt all SOPS files with the new recipient list find . -name '*.sops.yaml' -exec sops updatekeys {} \; # 4. Commit and push git add .sops.yaml dot_config/*.sops.yaml git commit -sS -m "chore(secrets): rotate Age key" # 5. On other fleet hosts dot update ``` Old key still works for existing ciphertext, but new secrets use the new key. To force deprecation, delete the old key from `.sops.yaml` and `sops updatekeys` all files. ## Verifying No Plaintext Leaks CI runs three secret scanners (`gitleaks`, `detect-secrets`, `trufflehog`) on every commit. You can run them locally: ```sh gitleaks detect --redact --source . detect-secrets scan --update .secrets.baseline trufflehog git file://. --only-verified ``` If any scanner finds a potential leak, the commit is blocked. ## Operational Rules 1. **Never commit plaintext secrets** use chezmoi encrypt or SOPS 2. **Never commit `~/.config/age/keys.txt`** it's gitignored; double-check before pushing 3. **Age keys are per-host** don't copy them via Git; use secure channels (1Password, Bitwarden, physical USB) 4. **Rotate on team membership changes** when someone leaves, update recipients and rotate all shared secrets 5. **Audit with `dot verify --security`** runs gitleaks + signature + policy hash checks ## Troubleshooting ### "Could not decrypt: no age key found" `~/.config/age/keys.txt` is missing or unreadable: ```sh chmod 600 ~/.config/age/keys.txt ls -la ~/.config/age/keys.txt # -rw------- 1 user user 189 Apr 16 09:00 keys.txt ``` ### "sops: file encrypted with outdated recipients" A secret file has an old recipient list. Fix: ```sh sops updatekeys path/to/file.sops.yaml ``` ### Secrets Not Applying After Apply Check that `dot_tmp/stripe-key.txt.age` is committed. Run: ```sh chezmoi apply --verbose dot_tmp/stripe-key.txt # Will show decrypt attempts and errors ``` ## Next - [Concept: Trust Model](../01-concepts/02-trust-model.md) the security architecture - [Reference: Secret operations](../03-reference/01-dot-cli.md#secrets) - [Security: Secret management](../../security/SECRETS.md) {% endraw %}