Manage Secrets in Git and CI

Ward and Eric were chatting about handling secrets in Wiki. Jogging my memory about post by George Reilly about using @yesthattom's Blackbox and Paperkey to manage secrets in Git and CI: blog

Typical PGP Message (Figure from Network Security: Email Security, PKI, Tuomas Aura)

> Only the recipients have the private keys (in theory, at least). Therefore, only a recipient can decrypt the encrypted file. > To decrypt the file for a recipient, GPG: > finds the encrypted session key packet whose keyID matches the re­cip­i­en­t’s public key decrypts the session key using the re­cip­i­en­t’s private key decrypts the encrypted, compressed data using the session key de­com­press­es the decrypted data verifies the signature, if present writes the cleartext > This is a hybrid scheme. Symmetric encryption is a lot faster than public key/private key asymmetric encryption, so it’s used to encrypt the actual data. Fur­ther­more, if the data were entirely encrypted with a re­cip­i­en­t’s public key, then encrypting for N recipients would mean that the size of the result would be pro­por­tion­al to the number of recipients times the length of the original data. With the hybrid scheme, the header grows a few hundred bytes for each recipient but the data is encrypted only once, with faster encryption. > Blackbox encrypts a registered file with all of the ad­min­is­tra­tors as the recipients, so any ad­min­is­tra­tor can decrypt the file.