Skip to content
Latchkey

blackbox: Decrypt GPG-Protected Repo Files

blackbox stores files GPG-encrypted in a repo and provides commands to decrypt them all when a trusted key is available.

StackExchange blackbox is a set of scripts that keep secrets encrypted in Git and decrypt them at deploy time. In CI you import a GPG key, then run the decrypt-all command.

What it does

blackbox keeps a list of encrypted files (.gpg) and their admins (GPG key IDs). blackbox_decrypt_all_files decrypts every registered file into plaintext using a private key in the keyring; blackbox_postdeploy is the deploy-time alias that does the same.

Common usage

Terminal
# import the deploy GPG key first, then:
blackbox_postdeploy
# or decrypt everything explicitly
blackbox_decrypt_all_files
# check what is registered
blackbox_list_files

Options

CommandWhat it does
blackbox_decrypt_all_filesDecrypt every registered file into plaintext
blackbox_postdeployDeploy-time alias to decrypt all files
blackbox_list_filesList the files blackbox manages
blackbox_edit_start / _endDecrypt a single file to edit, then re-encrypt

In CI

Import the deploy GPG private key non-interactively into a job-local GNUPGHOME, run blackbox_postdeploy, use the plaintext, then wipe GNUPGHOME. The key must be one of the admins registered for the files or decryption fails.

Common errors in CI

"gpg: decryption failed: No secret key" means the imported GPG key is not an admin for those files. A pinentry hang means GPG tried to prompt; run in batch/no-tty mode. "blackbox_list_files: command not found" means the blackbox bin directory is not on PATH.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →