Stop Sharing Secrets in Slack & Teams ! π Commit Them Safely Instead
Ever had that awkward moment when a new teammate joins and you need to share API_KEY_PROD over Teams? π¬ We've all been there searching for the "least embarrassing" way to send secrets without exposing them in chat history.
But what if I told you we could commit secrets directly to our codebase safely and securely?
The Problem with Traditional Secret Sharing
- π± Sharing via Slack/Teams leaves traces in chat history
- π§ Email isn't secure for sensitive data
- π Manual sharing doesn't scale with team growth
- π° Always worried about who has access to what
The Solution: SOPS + GPG Magic β¨
SOPS (Secrets OPerationS) + GPG encryption = Git-native secret management that actually works!
Here's the genius part: SOPS encrypts only the values while keeping keys readable. Your config files remain auditable and version-controlled.
Before (Raw secrets - DON'T DO THIS! β)
api_key: sk-prod-1234567890abcdef
database_password: super_secret_password
After (SOPS encrypted - SAFE! β )
api_key: ENC[AES256_GCM,data:v2svKtCydFchhEalpb5ptHM=,iv:kwjrP2JJ7yN8Z...]
database_password: ENC[AES256_GCM,data:qUfnJp7K3s0BLRfgLEKuog==,iv:4iIqV4DmoxrQ...]
How It Works (The Simple Version)
- π Team members add their GPG keys to GitHub
- π New teammate requests access via Pull Request
- π€ Admin runs automated script to grant access
- π Everyone can decrypt secrets locally with their own key
Real Implementation: Step by Step
I've built a working demo that shows exactly how this works. Let's walk through it:
Step 1: Setup Your GPG Key on GitHub
First, make sure GitHub knows your public GPG key:
- Go to GitHub Settings β SSH and GPG keys
- Generate a new GPG key if you don't have one
- Add your public key to GitHub
π GitHub's GPG Guide
Step 2: Request Secret Access
Instead of asking for secrets in Slack, you simply:
- Clone the repository
- Add your GitHub username to
.sops.yaml:
creation_rules:
- pgp: >-
196e2fb0add1fa0ea00e377eb92cc7cd1b5275ca,d7d1ff182af9f304af01db8f15ef228052ff6d2f
github:
- prateek-wayne
- ajayyadavcstech
- your-username # <-- Add yourself here
- Create a Pull Request
That's it! No secret sharing required. π
Step 3: Automated Admin Approval
The magic happens here. Admin runs a simple Node.js script that:
- β Fetches public keys from GitHub profiles automatically
- β Updates encryption keys to include new team member
- β Re-encrypts all secrets with the combined team keys
cd tools
npm install
node index.js
Step 4: Decrypt Locally
Once your PR is merged, you can decrypt secrets locally:
# For .env files
./scripts/decrypt-env.sh
# For YAML configs
./scripts/decrypt-yaml.sh
The decrypted files are automatically Git-ignored, so they never accidentally get committed.
Why This Approach Rocks π
- π Security: Military-grade GPG encryption
- π Auditability: Full history of who has access when
- π Scalability: Automated onboarding/offboarding
- π° Cost: Completely free with existing tools
- π― Git-native: Works with your existing workflow
Try It Yourself
I've created a complete working example that demonstrates this entire workflow:
π Demo Repository
The repo includes:
- Sample encrypted
.envand.yamlfiles - Automated key synchronization scripts
- Cross-platform decryption scripts (Linux, macOS, Windows)
- Complete documentation
Conclusion: Embrace Git-Native Security π‘οΈ
Stop sharing secrets over chat. Start treating them like code - version controlled, auditable, and secure.
Your future self (and your security team) will thank you! π
What's your current approach to secret management? Have you tried SOPS before? Drop a comment below! π
Top comments (2)
ππ₯π₯
Great work