How can we manage secrets in public?

[sanchezcarlosjr]

I'm wondering how others publish their dotfiles when they might have secrets such as API keys, tokens, and so on. I'm employing CryFS, saving the encrypted data inside my repository, and mounting the secrets when I need them.

[OsirisFrik]

Hi @sanchezcarlosjr

this is how I do

in .dotfiles/restoring_scripts I add this flow

#!/bin/bash
source "$DOTFILES_PATH/shell/exports.sh" # here are a $LOCAL_EXPORTS and $LOCAL_ALIASES declarations
source "$DOTFILES_PATH/shell/aliases.sh"
source "$DOTFILES_PATH/shell/functions.sh"

# this exports look like `export LOCAL_EXPORTS="$HOME/.local_exports"`
FILES=(
  $LOCAL_EXPORTS
  $LOCAL_ALIASES
)

for FILE in ${FILES[@]}; do
  if [ -f "$FILE" ]; then
    echo "file: \"$FILE\" already exists"
  else
    touch $FILE
    echo "file: \"$FILE\" maked"

    if [[ "$FILE" == "$LOCAL_EXPORTS" ]]; then
      echo '#!/bin/bash\n# LOCAL EXPORTS DECLARATION\n' >> "$FILE"
    elif [[ "$FILE" == "$LOCAL_ALIASES" ]]; then
      echo '#!/bin/bash\n# LOCAL ALIASES DECLARATION\n' >> "$FILE"
    fi
  fi
done

now you can add your secrets on `

then I can add source import on .dotfiles/bash/exports.sh or .dotfiles/bash/init.sh

source "$LOCAL_EXPORTS"

this way allows me to keep secrets stored in my local and prevent to push on the repo

[sanchezcarlosjr]

@OsirisFrik thank you for sharing your approach. I did something similar with my dotfiles: https://github.com/sanchezcarlosjr/dotfiles. However, I prefer to save tokens on GitHub rather than hide the files. The purpose of dotfiles is to track configuration, and since secrets are a kind of configuration, I decided to save them in the cloud.

On the other hand, we can't entirely trust cloud providers, and secrets should not be public. Therefore, I created a private repository with encrypted files by CryFS. My dotfiles refer to an unencrypted location on my filesystem, which I mount when needed. Otherwise, the files remain encrypted, thanks to KDE's vault feature.