Keeping your Dotfiles in Sync and your Secrets in Gopass
Inspired by solutions how Secrets are being handled in corporate DevOps environments, I wanted to keep my Dotfiles on multiple machines in Sync and store all sensitive information inside gopass (which I started using instead of KeePass some time ago since I like the CLI and Unix / KISS aspect of it)
Luckily, I am not the first one to have such desires and I came across chezmoi which manages your Dotfiles for you inside a Git Repo and which also has support for gopass.
However, there are not so many articles out there how to do such a setup concretely and the ones which are out there are for e.g. BitWarden - so not really for the tools I described.
Let’s do this!⌗
To do the setup I described, one should first follow the official installation and getting started guides from gopass and chezmoi. I will not explain this here as there are many good guides out there (the best ones are the ones from the developers themselves) and because such tools also change with time and I will likely not update this blog post often.
Saving the Secrets in Gopass⌗
When saving the secrets, we have to think about how chezmoi will get the secret out. Currently the gopass
function of chezmoi will only return the first line of the secret.
That means while we could save e.g. a SSH Private Key in Raw, chezmoi will only read the first line of the Key, so we should better convert the SSH Private Key first.
We can simply convert SSH Private Key in one line by running:
cat id_rsa | base64
This will output one line of the SSH Private Key encoded in Base64. This is the secret we should store in gopass.
Getting the Secret with chezmoi⌗
After setting up chezmoi we can add the files we want chezmoi to manage. For the public part of a SSH Key this is quite easy:
chezmoi add .ssh/id_rsa.pub
Will add the public part of the SSH Key to chezmoi. However, the private part is a bit more tricky.
First we should switch into the chezmoi directory with
chezmoi cd
Then we should go into the private_dot_ssh
folder where there is likely already a id_rsa.pub
file but we need to create a private_id_rsa.tmpl
file for managing the private key.
Now we should create the file with the following contents:
{{ gopass "SSH/id_rsa" | b64dec }}
Where “SSH/id_rsa” is the name of the file inside of gopass and gopass
and b64dec
are chezmoi functions. gopass
is the function to get the secret from gopass and then we pipe it into the b64dec
function which decodes the Base64 string.
Applying it⌗
This is a part I nearly forgot and which can lead to confusion. We should first git commit
and git push
our changes in the Git Repo, then we can test our template file by running
chezmoi execute-template < private_id_rsa.tmpl
after this the most important step is to run
chezmoi apply
to actually apply our changes and if you already setup chezmoi update on other machines with gopass you will need to run
chezmoi update
on these other machines to pull the changes and directly apply them.
That was it! Now we have a nice setup where we can save sensitive data in gopass and then keep our Dotfiles up-to-date on all machines with chezmoi.