Skip to content

Secrets

Jump to bottom
Dave Williams edited this page Feb 8, 2026 · 2 revisions

Repository

Clone git@github.com:tecapps/secrets.git.

# trust the mise config
mise trust

# install the packages defined by the config
mise install

This will install age and sops, both of which you'll need.

age

Generate yourself an age key. Doesn't matter where you write the file, as it's going in .env anyway.

# writes to stdout
age-keygen

# writes to a file
age-keygen -o /path/to/file

Then copy .env.example to .env.

cp .env.example .env

Then edit .env and put your age secret key (beginning AGE-SECRET-KEY-) into SOPS_AGE_KEY.

SOPS_AGE_KEY=AGE-SECRET-KEY-xxxxxxxxxxxxxx

Warning

Back up your age key somewhere! A password manager is a good choice.

Next, contact Dave with your age public key (eg age1x6720me...) to get it added to the list.

Once that's done, and everything is in place, pull the repo.

git pull

If your key has been added, you can then do

sops edit secrets.yaml

which will open the unencrypted secrets.yaml in whichever editor is configured for $EDITOR. When you save and exit, it will be re-encrypted. Then you can commit and push:

git add -A .
git commit -am 'add some secret'
git push

If you use the sops edit flow, plaintext never exists in the repo path, so it is always safe to commit.

Clone this wiki locally