This repository uses Ansible Vault to securely store and sync SSH and GPG keys across machines.
- Encryption: Your private keys are encrypted using Ansible Vault with a password you choose
- Storage: Encrypted keys are safely committed to your git repository
- Decryption: On new machines, the keys are automatically decrypted during installation
- Security: Only you have the vault password - it's never committed to git
First, create a vault password file (this is done once):
echo "your-very-secure-password" > ~/dotfiles/.vault_password
chmod 600 ~/dotfiles/.vault_password- Choose a strong, memorable password
- This file is in
.gitignoreand will NEVER be committed - Keep this password safe - you'll need it on every machine
- Consider storing it in a password manager
Use the backup script to encrypt and store your keys:
~/dotfiles/backup-secrets.shThe script will:
- Prompt you to select SSH keys, GPG keys, shell history, or all
- Automatically filter secrets from shell history
- Encrypt them with your vault password
- Save encrypted versions to
secrets/directory
cd ~/dotfiles
git add secrets/
git commit -m "Add encrypted SSH and GPG keys"
git pushgit clone git@github.com:edbzn/dotfiles.git ~/dotfilesecho "your-very-secure-password" > ~/dotfiles/.vault_password
chmod 600 ~/dotfiles/.vault_passwordUse the same password you used when encrypting the keys!
~/dotfiles/install.shThe installation will automatically:
- Detect encrypted keys in
secrets/directory - Decrypt and restore your SSH keys to
~/.ssh/ - Import your GPG keys
- Restore your shell history (with secrets already filtered)
- Set correct permissions
~/.ssh/id_ed25519→secrets/id_ed25519.vault(or your key name)~/.ssh/id_ed25519.pub→secrets/id_ed25519.pub.vault
- Your GPG private key →
secrets/gpg-private-key.asc.vault
~/.zsh_history→secrets/zsh_history.vault(secrets automatically filtered)
ansible-vault encrypt path/to/file \
--vault-id default@~/dotfiles/.vault_password \
--encrypt-vault-id default \
--output=secrets/filename.vaultansible-vault decrypt secrets/filename.vault \
--vault-id default@~/dotfiles/.vault_password \
--output=path/to/destinationansible-vault view secrets/id_ed25519.vault \
--vault-id default@~/dotfiles/.vault_passwordansible-vault edit secrets/gpg-private-key.asc.vault \
--vault-id default@~/dotfiles/.vault_password# Create new password file
echo "new-secure-password" > ~/dotfiles/.vault_password_new
# Rekey all encrypted files
ansible-vault rekey secrets/*.vault \
--vault-id default@~/dotfiles/.vault_password \
--new-vault-id default@~/dotfiles/.vault_password_new
# Replace old password file
mv ~/dotfiles/.vault_password_new ~/dotfiles/.vault_passwordTo only restore keys without running full installation:
cd ~/dotfiles
ansible-playbook playbook.yml --tags secretsMake sure:
.vault_passwordfile exists and contains the correct password- The password matches what you used to encrypt the keys
- File permissions are correct:
chmod 600 .vault_password
Check if encrypted keys exist:
ls -la ~/dotfiles/secrets/If empty, you need to run backup-secrets.sh on a machine that has the keys.
# Test if password is correct
ansible-vault view secrets/id_ed25519.vault \
--vault-id default@~/dotfiles/.vault_passwordIf this works, your password is correct!
- Never Commit Vault Password: Already in
.gitignore - Use Strong Password: Mix letters, numbers, symbols
- Store Password Safely: Use a password manager
- Rotate Periodically: Change vault password every 6-12 months
- Backup Keys: Keep encrypted backup outside git too
- Audit Access: Monitor who has access to your repository
If you prefer not to store keys in git (even encrypted), alternatives:
- Password Manager: 1Password, Bitwarden have SSH agent support
- Hardware Key: YubiKey can store GPG/SSH keys physically
- Cloud Storage: Encrypt and upload to Dropbox/Drive separately
The ansible-vault method works great for teams or multiple personal machines! 🎉