Dotfile encryption with GPG

Brandur brandur at
Wed Nov 19 07:06:54 CET 2014

Hi gnupg-users,

One of the GPG use cases that I'm most interested in is the encryption
of some dotfiles which normally reside in my home directory in
cleartext, but which contain sensitive credentials.

An example of such a file is be `~/.netrc`, a somewhat standardized file
that stores web credentials and can be read in by programs such as Curl
[1]. One trick to get Curl to read a GPG-encrypted `.netrc` is to pipe
it in via stdin as demonstrated here:

    curl="gpg --batch -q -d $HOME/.netrc.gpg | curl --netrc-file /dev/stdin"

This works out pretty well in the case of Curl, but breaks down for more
complex programs. For example, if in this case Curl wanted to *write*
information back to `.netrc`, this basic approach would no longer be

One way around this is to start baking GPG support into any program that
needs this more sophisticated functionality, but this isn't always
possible. Another possible solution is to "wrap" programs with a script
that will pass a decrypted file to a program, and optionally re-encrypt
the file after the program has exited. I've written a small example of
what this might look like that I call "gpgup" here [2]. Going back to
our Curl example, it would be used like this:

    __curl() { GPGUP_PATH=$HOME/.netrc.gpg gpgup 'curl --netrc-file $GPGUP_PATH' $@ }
    alias curl=__curl

A challenge here is that a temporary store must be available that's
suitable to temporarily write a decrypted file to, and which would make
recovery of the cleartext difficult. I personally write to an encrypted
partition which I think is secure enough for *my* purposes. Other
possibilities here might be ephemeral stores like a ramdisk just in case
a bad exit left a decrypted file behind.

My question here is: is there something that I'm missing? Does the
standard GPG toolbox include something that would solve this problem
more elegantly? If not, would my approach here be considered "good

Thanks for the help!


More information about the Gnupg-users mailing list