[Question] How would a deployment server decrypt a file? Assuming it's a `.env` file

[simkimsia]

hi there, I'm completely new to git-crypt.

I read an article about this git-crypt and I have a question. Suppose I use git-crypt to encrypt a .env file for production environment secrets. I push it to my github repo.

My deployment server would typically run a git pull and it has the deploy key stored on the same GitHub repo ensuring it's read-only.

Now how would the deployment server decrypt the .env correctly?

[alerque]

Presumably your deployment system would pass along the required credentials ... a GPG private key or a passphrase as an environment variable. The secret passed along in memory as part of the deployment is presumably smaller than whatever you have encrypted in the repository and doesn't need to be versioned. You use the secret from your deployment system to unlock the repository after checkout.

[etam]

Git-crypt supports providing a symmetric key with git-crypt unlock filename. You can get this key by running git-crypt export-key filename. Normally this symmetric key sits inside .git-crypt directory, encrypted with your gpg key.

[eidorb]

Assuming your deployment system can pass your base64-encoded git-crypt key in an environment variable named GIT_CRYPT_KEY, you could unlock as follows:

# Unlock git-crypt.
echo $GIT_CRYPT_KEY | base64 -d | git-crypt unlock -

An example with GitHub Actions: https://github.com/eidorb/aws/blob/c77af3896df081bc7e7d690d2617628ae7bdc870/.github/workflows/deploy.yml#L52-L53.