Skip to content

gpg

chezmoi supports encrypting files with gpg. Encrypted files are stored in the source state and automatically be decrypted when generating the target state or printing a file's contents with chezmoi cat.

Asymmetric (private/public-key) encryption

Specify the encryption key to use in your configuration file (chezmoi.toml) with the gpg.recipient key:

~/.config/chezmoi/chezmoi.toml
encryption = "gpg"
[gpg]
    recipient = "..."

chezmoi will encrypt files:

gpg --armor --recipient <recipient> --encrypt

and store the encrypted file in the source state. The file will automatically be decrypted when generating the target state.

Hint

The gpg.recipient key must be ultimately trusted, otherwise encryption will fail because gpg will prompt for input, which chezmoi does not handle. You can check the trust level by running:

$ gpg --export-ownertrust

The trust level for the recipient's key should be 6. If it is not, you can change the trust level by running:

$ gpg --edit-key <recipient>

Enter trust at the prompt and chose 5 = I trust ultimately.

Symmetric encryption

Specify symmetric encryption in your configuration file:

~/.config/chezmoi/chezmoi.toml
encryption = "gpg"
[gpg]
    symmetric = true

chezmoi will encrypt files:

gpg --armor --symmetric
Back to top