Inspired by solutions how Secrets are being handled in corporate DevOps environments, I wanted to keep my Dotfiles on multiple machines in Sync and store all sensitive information inside gopass (which I started using instead of KeePass some time ago since I like the CLI and Unix / KISS aspect of it)

Luckily, I am not the first one to have such desires and I came across chezmoi which manages your Dotfiles for you inside a Git Repo and which also has support for gopass.

However, there are not so many articles out there how to do such a setup concretely and the ones which are out there are for e.g. BitWarden - so not really for the tools I described.

Let’s do this!

To do the setup I described, one should first follow the official installation and getting started guides from gopass and chezmoi. I will not explain this here as there are many good guides out there (the best ones are the ones from the developers themselves) and because such tools also change with time and I will likely not update this blog post often.

Saving the Secrets in Gopass

When saving the secrets, we have to think about how chezmoi will get the secret out. Currently the gopass function of chezmoi will only return the first line of the secret. That means while we could save e.g. a SSH Private Key in Raw, chezmoi will only read the first line of the Key, so we should better convert the SSH Private Key first.

We can simply convert SSH Private Key in one line by running:

cat id_rsa | base64

This will output one line of the SSH Private Key encoded in Base64. This is the secret we should store in gopass.

Getting the Secret with chezmoi

After setting up chezmoi we can add the files we want chezmoi to manage. For the public part of a SSH Key this is quite easy:

chezmoi add .ssh/id_rsa.pub

Will add the public part of the SSH Key to chezmoi. However, the private part is a bit more tricky.

First we should switch into the chezmoi directory with

chezmoi cd

Then we should go into the private_dot_ssh folder where there is likely already a id_rsa.pub file but we need to create a private_id_rsa.tmpl file for managing the private key.

Now we should create the file with the following contents:

{{ gopass "SSH/id_rsa" | b64dec }}

Where “SSH/id_rsa” is the name of the file inside of gopass and gopass and b64dec are chezmoi functions. gopass is the function to get the secret from gopass and then we pipe it into the b64dec function which decodes the Base64 string.

Applying it

This is a part I nearly forgot and which can lead to confusion. We should first git commit and git push our changes in the Git Repo, then we can test our template file by running

chezmoi execute-template < private_id_rsa.tmpl

after this the most important step is to run

chezmoi apply

to actually apply our changes and if you already setup chezmoi update on other machines with gopass you will need to run

chezmoi update

on these other machines to pull the changes and directly apply them.

That was it! Now we have a nice setup where we can save sensitive data in gopass and then keep our Dotfiles up-to-date on all machines with chezmoi.