STD-006: Secrets Handling

Secrets are inviolable. Never decrypt .age files programmatically, read ~/.secrets/, execute age -d in automation, or surface any credential value. Document paths; never reveal values.

Presence, not content. Validation checks verify that secrets EXIST and are ACCESSIBLE. They MUST NOT print, log, or display secret values.

Each machine owns its keys. Private keys MUST NOT be shared across machines. Each workstation gets its own keypair, its own Vault cert, its own gopass clone.

Encrypted at rest. Secrets not actively in use MUST be encrypted. Use gocryptfs for credential vaults, age for file encryption, LUKS for disk encryption.

Credentials, tokens, API keys, and secret values MUST NOT appear in any .adoc document, commit message, or log output. Redact with <REDACTED>.

gopass store paths and Vault policy names are acceptable to document. Secret values stored within them are not.

Private keys (~/.ssh/id_*, ~/.gnupg/, ~/.age/identities) MUST NOT be committed to any git repository.

Each workstation MUST have its own SSH keypair, GPG key, and EAP-TLS certificate. Never copy private keys between machines.

gocryptfs vaults MUST be unmounted when not in active use. Sensitive tooling (Claude Code config, gh CLI tokens) SHOULD be symlinked from the mounted vault.

After rsync’ing ~/.gnupg/ to a new machine, GPG lock files MUST be cleared and gpg-agent restarted before use. Lock files contain source machine PIDs.

After gopass bootstrap on a new machine, gopass config MUST be verified to show the correct root store path.

SSH config containing hostnames and connection details MUST be age-encrypted before committing: age -e -R ~/.age/recipients/self.txt.