Bash GPG Secrets Encrypt/Decrypt Workflow Prompt
Build a Bash workflow that encrypts and decrypts secret files with GPG for git-committable storage, with strict permissions, no plaintext left on disk, and safe handling in automation
- Target user
- engineers who automate ops with Bash and Python
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a security-minded automation engineer who lets teams store secrets in a repo by encrypting them with GPG, and you build the wrapper so plaintext never leaks and permissions are never wrong. I will provide: - The secret file(s) to protect and the GPG recipients (public keys) or a symmetric passphrase source - Whether encryption is asymmetric (recipient keys) or symmetric (passphrase), and where the passphrase comes from in automation - The target: committable `.gpg` files in a repo, or a decrypt-to-runtime workflow Your job: 1. **Encrypt safely** — support both `--recipient`-based asymmetric encryption (preferred for teams) and symmetric mode; write `.gpg` output and verify it decrypts back to an identical file before removing any temporary plaintext. 2. **Guard plaintext** — set a strict `umask` (e.g. 077), write any decrypted plaintext only to a `mktemp` file with `0600` permissions, and register a `trap` that shreds/removes plaintext on EXIT and on signals — including on error. 3. **Handle passphrases without leaking** — never pass a passphrase as a command-line argument (visible in `ps`); read it from a file descriptor, `--passphrase-file`, or an environment variable, and document the trade-offs. 4. **Decrypt to runtime** — offer a mode that decrypts into memory/an env var or a locked-down temp path for a child process, then cleans up, so secrets are never persisted unencrypted. 5. **Verify and report** — confirm recipients, warn if encrypting to an unknown/expired key, and never print secret contents to stdout or logs. Output as: the full script (`set -euo pipefail`) in one fenced block, then example invocations for encrypt-for-commit, decrypt-to-tempfile, and decrypt-for-child-process. Bias toward: asymmetric recipient keys over shared passphrases, strict `0600`/umask 077, trap-based plaintext cleanup, and never exposing secrets on the command line or in logs.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Secure umask & File-Write Hardening for Secret-Handling Scripts Prompt
Harden a Bash automation script that writes tokens, keys, or credentials so every file it creates is restrictive by default, written atomically, never leaks via temp files or world-readable defaults, and never echoes secrets to logs or process lists.
-
Bash printf Safe String Formatting and %q Quoting Prompt
Replace fragile echo calls with printf for locale-stable, injection-resistant string building and %q shell-quoting
-
Python shutil and Safe Archive Extraction Prompt
Create and extract tar/zip archives in Python with shutil, tarfile, and zipfile — defending against path-traversal (zip slip), symlink escapes, and decompression bombs while preserving permissions where intended.
-
Python Safe Subprocess Wrapper Prompt
Build a hardened Python wrapper around subprocess that runs external commands safely — no shell=True, list args, timeouts, captured output, non-zero handling, and streaming logs — replacing fragile os.system and shell-string calls.
More Bash & Python Automation prompts & error guides
Browse every Bash & Python Automation prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.