The Arkindex CLI has commands to manage secrets encrypted using GPG. Those secrets can be used to replace Arkindex secrets when running workers locally.
To manage local secrets, you will need the following:
Secret editing works by decrypting, letting you type text, and re-encrypting. The secret only remains unencrypted when you are editing it. To allow this, the CLI needs to know about your editor.
Add export EDITOR=<editor>
to your shell's startup script
(~/.bashrc
, ~/.profile
, ~/.zshrc
, …), where <editor>
is the command
the CLI should run to open your editor.
For example, export EDITOR=vim
will make the CLI use Vim,
and export EDITOR=gedit
will make it use gedit.
If you do not have a GPG key already, you will need one.
You can follow the "Set Up GPG Keys" section of DigitalOcean's tutorial on GPG to get started with GPG.
With the CLI and a GPG key ready, you can now start managing local secrets.
On your first attempt to create or edit a secret, you will be prompted for your GPG key. On subsequent attempts, you may be prompted for your GPG key's password if you have configured one. The CLI will then handle encrypting by itself.
arkindex secrets <name>
, where <name>
is the name of your secret.arkindex secrets <name>
, where <name>
is the name of your secret.Deleting local secrets is not implemented in the CLI itself, but can be done using the filesystem.
~/.config/arkindex/secrets/
.This section describes common error resolutions and maintenance actions related to secret encryption.
When saving a secret, the CLI shows the following error:
Encryption failed: invalid recipient
You will need to make sure that your GPG key's trust level is set to ultimate
.
Run gpg --list-secret-keys
.
You will get an output similar to the following:
/home/someone/.gnupg/pubring.kbx
---------------------------------
sec rsa4096 2021-01-01 [SC]
49EFBE4895CD1C4A3EDBA0D32E8A40B5FD3ACE4F
uid [ unknown ] Arkindex <someone@example.com>
ssb rsa4096 2021-01-01 [E]
Run gpg --edit-key <KEY_ID>
where <KEY_ID>
is the 40-character key
identifier for your key. In the example above, the identifier would be
49EFBE4895CDC4A3EDBA0D32EDA40B5FD3ACE4B
.
Type trust
to edit the trust level and hit Enter.
Type 5
to set to ultimate
and hit Enter.
Type save
to save the changes and hit Enter.
If you picked the wrong key, lost the key, or have any other reason to use another GPG key, you will need to update the CLI's configuration file to get it to ask you for another key.
Clone your CLI's configuration file, located by default at
~/.config/arkindex/cli.yaml
, to back it up:
cp ~/.config/arkindex/cli.yaml ~/.config/arkindex/cli.yaml.bak
Open your CLI's configuration file in a text editor.
Remove the line starting with gpg_key:
.
Save the file.
Add a new secret using the CLI. You will be prompted for another key.