Inspired by solutions how Secrets are being handled in corporate DevOps environments, I wanted to keep my Dotfiles on multiple machines in Sync and store all sensitive information inside gopass (which I started using instead of KeePass some time ago since I like the CLI and Unix / KISS aspect of it)

Luckily, I am not the first one to have such desires and I came across chezmoi which manages your Dotfiles for you inside a Git Repo and which also has support for gopass.

However, there are not so many articles out there how to do such a setup concretely and the ones which are out there are for e.g. BitWarden - so not really for the tools I described.

Let’s do this!#

To do the setup I described, one should first follow the official installation and getting started guides from gopass and chezmoi. I will not explain this here as there are many good guides out there (the best ones are the ones from the developers themselves) and because such tools also change with time and I will likely not update this blog post often.

Saving the Secrets in Gopass#

When saving the secrets, we have to think about how chezmoi will get the secret out.

With the gopassRaw function#

Tom Payne, the creator of chezmoi, informed me after publishing this post that the gopassRaw function should work without any needed base64 encoding/decoding.

This means we can just save the raw SSH key as secret in gopass.

With the gopass function#

This is not needed, see the gopassRaw section above

Currently the gopass function of chezmoi will only return the first line of the secret. That means while we could save e.g. a SSH Private Key in Raw, chezmoi will only read the first line of the Key, so we should better convert the SSH Private Key first.

We can simply convert SSH Private Key in one line by running:

cat id_rsa | base64

This will output one line of the SSH Private Key encoded in Base64. This is the secret we should store in gopass.

Getting the Secret with chezmoi#

After setting up chezmoi we can add the files we want chezmoi to manage. For the public part of an SSH Key this is quite easy:

chezmoi add .ssh/id_rsa.pub

Will add the public part of the SSH Key to chezmoi. However, the private part is a bit more tricky.

First we should switch into the chezmoi directory with

chezmoi cd

Then we should go into the private_dot_ssh folder where there is likely already a id_rsa.pub file but we need to create a private_id_rsa.tmpl file for managing the private key.

Now we should create the file with the following contents:

With the gopassRaw function# 

{{ gopassRaw "SSH/id_rsa" }}

Where “SSH/id_rsa” is the name of the file inside of gopass and gopassRaw is the function to get the secret from gopass.

With the gopass function#

This is not needed if you follow the gopassRaw section above. I still want to mention it as an alternative.

{{ gopass "SSH/id_rsa" | b64dec }}

Where “SSH/id_rsa” is the name of the file inside of gopass and gopass and b64dec are chezmoi functions. gopass is the function to get the secret from gopass and then we pipe it into the b64dec function which decodes the Base64 string.

Applying it#

This is a part I nearly forgot and which can lead to confusion. We should first git commit and git push our changes in the Git Repo, then we can test our template file by running

chezmoi execute-template < private_id_rsa.tmpl

after this the most important step is to run

chezmoi apply

to actually apply our changes and if you already setup chezmoi update on other machines with gopass you will need to run

chezmoi update

on these other machines to pull the changes and directly apply them.

That was it! Now we have a nice setup where we can save sensitive data in gopass and then keep our Dotfiles up-to-date on all machines with chezmoi.