blackbox: Decrypt GPG-Protected Repo Files
blackbox stores files GPG-encrypted in a repo and provides commands to decrypt them all when a trusted key is available.
StackExchange blackbox is a set of scripts that keep secrets encrypted in Git and decrypt them at deploy time. In CI you import a GPG key, then run the decrypt-all command.
What it does
blackbox keeps a list of encrypted files (.gpg) and their admins (GPG key IDs). blackbox_decrypt_all_files decrypts every registered file into plaintext using a private key in the keyring; blackbox_postdeploy is the deploy-time alias that does the same.
Common usage
# import the deploy GPG key first, then:
blackbox_postdeploy
# or decrypt everything explicitly
blackbox_decrypt_all_files
# check what is registered
blackbox_list_filesOptions
| Command | What it does |
|---|---|
| blackbox_decrypt_all_files | Decrypt every registered file into plaintext |
| blackbox_postdeploy | Deploy-time alias to decrypt all files |
| blackbox_list_files | List the files blackbox manages |
| blackbox_edit_start / _end | Decrypt a single file to edit, then re-encrypt |
In CI
Import the deploy GPG private key non-interactively into a job-local GNUPGHOME, run blackbox_postdeploy, use the plaintext, then wipe GNUPGHOME. The key must be one of the admins registered for the files or decryption fails.
Common errors in CI
"gpg: decryption failed: No secret key" means the imported GPG key is not an admin for those files. A pinentry hang means GPG tried to prompt; run in batch/no-tty mode. "blackbox_list_files: command not found" means the blackbox bin directory is not on PATH.