Set environment variables from gpg encrypted shell script?

Question

I am trying to store some environment variables for S3 in an encrypted shell script (so these keys aren't stored unencrypted on my drive) like so:

export AWS_ACCESS_KEY_ID="example_key_id"
export AWS_SECRET_ACCESS_KEY="example_secret_access_key"

This is saved as a shell script setenv.sh which I've encrypted as setenv.sh.gpg.

I'm trying to run the file script with eval $(gpg --decrypt ./setenv.sh.gpg) which decrypts the file, but does not load the environment variables accordingly (a printenv confirms this).

I feel like it may have something to do with this question: Shell script to set environment variables

However, I've tried a number of different variations with source to no avail as I assume source expects a file and not the contents of a script.

How could I use a gpg encrypted shell script to set environment variables?

Answer 1

In Zsh, you should just be able to call:

$(gpg --decrypt ./setenv.sh.gpg)

Or pop that line in a script then call that with . e.g.:

. decrypt-and-setenv.sh

This exports the env vars into your current shell and leaves the file encrypted.

Answer 2

As the first commenter says source <(gpg --decrypt ./setenv.sh.gpg) will accomplish what you're after. It should work in Zsh as well as bash.

N.B. Zsh also has =(...) for process substitution, but this will leave an unencrypted temp file lying around somewhere which defeats the purpose of using encryption. Stick to <(...) which uses a named pipe.

If the goal is to protect the credentials from the user using them, then this is futile. If on the other hand, you want to protect the credentials in the event your laptop gets stolen then there is some real protection here. It's a fairly common strategy to keep credentials encrypted on disk and load them into memory only when needed.

Given that your hard drive is encrypted, I'm not sure how much you'll gain from this. The only realistic benefit I can think of off the top of my head is if you keep unencrypted backups and they get stolen. Depending on how paranoid you are, it might or might not be worth the trouble.