regpg program is a thin wrapper around
gpg for looking after
secrets that need to be stored encrypted in a version control system
(so you don't have to trust the VCS server) and decrypted when your
configuration management system deploys them to servers.
discreet and discrete
regpg is designed to store each secret in its own
ASCII-armored PGP-encryped file, separate from non-secret
code and configuration. The only other file
is a public keyring.
simplified key management
regpg manages a keyring containing the public keys of
whoever is allowed to decrypt the secrets.
There is no need to curate your personal public keyring, or
get involved in the web of trust, or use PGP keyservers.
You exchange public keys with your colleagues via the
pubring.gpg file in your version control system.
After you have added or removed a key it is easy to re-encrypt
regpg can check that all secrets are properly
encrypted to the keys in its
regpg has subcommands for generating and encrypting TLS and
SSH private keys in one step, and for wrangling X.509
There are also some quick
init commands to get
regpg hooked up
git, and some
conv commands to help you
regpg from other tools.
conventional project layout
At the root of your project you have a
pubring.gpg file which
lists the set of people who can decrypt the secrets. This is your
current working directory when using
regpg. Elsewhere in your
project directory and its subdirectories you have encrypted
secret.asc files. The F<.asc> extension is short for
ASCII-armored PGP message.
when not to use
It's usually better to use HashiCorp Vault or your cloud provider's native secret management, if you can.
regpg help displays the reference manual, or you can read it at
an introduction and overview of
regpg's approach to handling secrets.
regpg's threat model.
regpg release notes and change summary.
If you use
regpg, let me know! Send me mail at email@example.com.
If you would like to submit a bug report or a patch,
or if you would like more information about
regpg's licence, see
For a simple one-file install you can copy the
regpg script to a
directory on your
You can run
make install to install the script and man page to the
standard places in your home directory, and
make uninstall to remove
them. See the start of the
Makefile for variables you can set on the
command line to adjust the install location. See
for details about building from
regpg you need the following programs. I've listed the
versions that I have tested.
perl- 5.20 - 5.22 - 5.26
gnupg- 1.4.18 - 2.0.26 - 2.1.11 - 2.2.1
gnupg-agent- 2.0.26 - 2.1.11 - 2.2.1
You only need the following programs if you use
git- 2.7 - 2.10 - 2.15
You only need the following to build from
make- any version should do
libtext-markdown-perlon Debian-like systems
libperl-critic-perlon Debian-like systems
Download the single-file
regpg perl script:
and its GPG signature.
Download the full source archives and GPG signatures:
You can clone or browse the repository from:
Thanks to Jon Warbrick who gave me the idea for
management; and David Carter, Ben Harris, Ian Lewis, David McBride,
mchubby, and Matthew Vernon for
helpful bug reports and discussions.
Written by Tony Finch firstname.lastname@example.org email@example.com
at Cambridge University Information Services.
regpgis free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
regpgis distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
regpg. If not, see http://www.gnu.org/licenses/.