regpg program is a thin wrapper around
gpg for looking after
secrets that need to be stored encrypted in a version control system
(so you don't have to trust the VCS server) and decrypted when your
configuration management system deploys them to servers.
discreet and discrete
regpg is designed to store each secret in its own
ASCII-armored PGP-encryped file, separate from non-secret
code and configuration. The only other file
is a public keyring.
simplified key management
regpg manages a keyring containing the public keys of
whoever is allowed to decrypt the secrets.
There is no need to curate your personal public keyring, or
get involved in the web of trust, or use PGP keyservers.
You exchange public keys with your colleagues via the
pubring.gpg file in your version control system.
After you have added or removed a key it is easy to re-encrypt
regpg can check that all secrets are properly
encrypted to the keys in its
regpg has subcommands for generating and encrypting TLS and
SSH private keys in one step, and for wrangling X.509
There are also some quick
init commands to get
regpg hooked up
git, and some
conv commands to help you
regpg from other tools.
regpg help displays the reference manual, or you can read it at
an introduction and overview of
regpg's approach to handling secrets.
regpg's threat model.
If you use
regpg, let me know! Send me mail at email@example.com.
If you would like to submit a bug report or a patch, see doc/contributing.md
For a simple one-file install you can copy the
regpg script to a
directory on your
You can run
make install to install the script and man page to
the standard places in your home directory. See the start of the
Makefile for variables you can set on the command line to adjust
the install location.
regpg you need the following programs. I've listed the
versions that I have tested.
perl- 5.20 - 5.22
gpg- 1.4.18 - 2.0.26 - 2.1.11
gpg-agent- 2.0.26 - 2.1.11
You only need the following programs if you use
git- 2.7 - 2.10
Download the single-file
regpg perl script:
and its GPG signature
Download the full source archives and GPG signatures:
You can clone or browse the repository from:
Thanks to Jon Warbrick who gave me the idea for
management, and David McBride for helpful discussions.
Written by Tony Finch firstname.lastname@example.org email@example.com
at Cambridge University Information Services.
You may do anything with this. It has no warranty.