Unless you're good at actually maintaining your gpg keychain and need other people to access this, I really wouldn't bother with gpg. There are way better and simpler options.<p>Age has a simpler interface and SSH key support <a href="https://github.com/FiloSottile/age">https://github.com/FiloSottile/age</a><p>ejson2env has the environment variable integration and ejson has multiple backends <a href="https://github.com/Shopify/ejson2env">https://github.com/Shopify/ejson2env</a><p>direnv can support any cli secrets manager per project directory <a href="https://direnv.net/" rel="nofollow">https://direnv.net/</a><p>I've dealt with enough "why did this break" situations with gpg secrets files used by capable teams that I'd never recommend that to anyone. And unless you really need the public key support (teams and deployment support), you're unlikely to gain anything better over a password manager.
The more general version of this is probably sops[1].<p>(A general problem with these kinds of “wrap GPG” tools is that you end up with “mystery meat” encryption/signatures: your tool’s security margin is at the mercy of GPG’s opaque and historically not very good defaults.)<p>[1]: <a href="https://github.com/getsops/sops">https://github.com/getsops/sops</a>
Since GPG and openssh support the TPM for some operations, I am tempted to store secrets in the TPM instead; I think a hardware safe is better than messing with persistent envars and having to pay attention to children etc.<p>But I am very nervous about doing so, since I have heard bad things about the reliability of the TPM (limited writes or something?) and locking myself out of important places. Any people with experience using the TPM for secrets in Linux?
The correct way to do stuff like this these days with openpgp is to use a SOP (stateless openpgp) implementation. <a href="https://www.openpgp.org/about/sop/" rel="nofollow">https://www.openpgp.org/about/sop/</a>
Couldn't you just use pass and have something like this in your bash script/env:<p>export SOME_SECRET="$(pass show some/secret)"
I've forked the repo and created a zsh version: <a href="https://github.com/vapniks/shell-secrets">https://github.com/vapniks/shell-secrets</a>
for a newer password manager... <a href="https://github.com/FiloSottile/passage">https://github.com/FiloSottile/passage</a>
I store my secrets in gpg encrypted files and inject them into my environment in my shell rc file.<p>AWS_SECRET_ACCESS_KEY=$(gpg -d ~/.secrets/aws/key.asc)<p>type of deal. its annoying to put in a password every time i open a new tmux pane but hey, better than plain text.