Simple local secrets management

Oct 24, 2021

A recurring problem I had in various side projects is managing and sharing secrets. These projects have some access tokens or API keys. Either to another service, or just used to encrypt session, w/e.

There are many ways to manage that - from plain text secrets on local disk, to managed services like AWS Secrets Manager. If you have what works for you, you do you.

For me, it’s important those keys are stored securely, but also that managing them would not impact my workflow. I also want them to be easily synced, because I’m working on multiple machines.

I use YubiKey and GPG set up based on an excellent guide you can find here. This allows me to easily use GPG as an encryption method for gopass. All my secrets are stored in a repo, and as long as YubiKey is plugged in, accessible.

Fetching them manually from the store was tedious, so now I’m using direnv to do that.

Here’s a demo how it looks like:

$ echo $BACKUP_KEY
# nothing
~
$ cd /tmp/test
$ echo $BACKUP_KEY
Sulfur Paternity Obvious Cultural
/tmp/test
$ cd -
$ echo $BACKUP_KEY
# nothing
# .envrc
secret BACKUP_KEY misc/backup-encryption-key

Helper function in direnv config:

secret() {
  local env=$1
  local secret=$2

  export $env="$(gopass show -f "${secret}")"
}

This method is simple and effective. There’s also minimal risk I accidentally leak it while screensharing unless I print all of my envs.

Do you see any downsides or vulnerabilities in this approach? Are you using something better? Feel free to email me!