envcrypt
runs commands in a special process environment loaded from encrypted files.
$ envcrypt -h
usage: envcrypt PATH COMMAND [ARGS...]
Set environment variables defined in encrypted file PATH and run COMMAND.
Arguments:
PATH path to a gpg-encrypted file that can be read with eg `gpg -d PATH`
COMMAND command to be invoked in the context of the environment defined in PATH
The contents of PATH
should be zero or more lines of string keys and values, separated by =
and encrypted with GPG:
$ echo AWS_ACCESS_KEY_ID=XXXXXXX | gpg -a -e -o aws.asc
$ envcrypt aws.asc /bin/sh -c 'echo $AWS_ACCESS_KEY_ID'
XXXXXXXX
envcrypt
runs gpg
in batch mode, so you must be running gpg-agent
for your private key to be accessible.
Make sure your gpg
and gpg-agent
executables are version 2 or greater:
$ gpg --version | head -1
gpg (GnuPG/MacGPG2) 2.0.28
$ gpg-agent --version | head -1
gpg-agent (GnuPG) 2.0.29
If you don't have GPG version 2, install GPG Tools. GPG Tools installs into the /usr/local/MacGPG2/bin
directory, so add that to your shell's $PATH
variable. Then, make sure you have a gpg-agent
running in daemon mode:
$ gpg-agent --daemon
Finally, configure gpg
to use the agent:
$ echo use-agent >> ~/.gnupg/gpg.conf
This is the easy way; do this unless you definitely need to build from source. Supported platforms:
$ curl -sL -O https://github.com/whilp/envcrypt/releases/download/v0.3/envcrypt-Darwin-x86_64
$ curl -sL -O https://github.com/whilp/envcrypt/releases/download/v0.3/envcrypt-Darwin-x86_64.sha256
$ shasum -c envcrypt-Darwin-x86_64.sha256
envcrypt-Darwin-x86_64: OK
$ mv envcrypt-Darwin-x86_64 ~/bin/envcrypt
$ chmod a+x ~/bin/envcrypt
Make sure ~/bin
is a directory in your $PATH
; replace it with another directory if you'd prefer.
You can also install directly from source (but you probably just want to install the binary):
go get github.com/whilp/envcrypt
make test
BSD; see LICENSE
.