Decrypting Blackbox secrets at build time with Paperkey
“Security is 1% technology plus 99% following the procedures correctly” — Tom Limoncelli
Having dealt with GPG last week at work, I remembered that I had intended to write a blog post about how we used GPG, Blackbox, and Paperkey to store secrets in Git at my previous job.
We used Blackbox to manage secrets that were needed during development, build, deployment, and runtime. These secrets included AWS credentials, Docker registry credentials, our private PyPI credentials, database credentials, and certificates. We wanted these secrets to be under version control, but also to be secure.
For example, we had a credentials.sh that exported environment variables, which was managed by Blackbox:
# Save current value…continue.