Understanding encryption configuration

[Allaman]

What exactly are you trying to do?

Setup chezmoi with age encryption but unclear how to handle chezmoi.toml

What have you tried so far?

• Downloaded chezmoi and age binaries
• chezmoi init
• age-keygen -o ~/.secrets/age_chezmoi_key
• created /.config/chezmoi/chezmoi.toml

  encryption = "age"
  [age]
  identity = "~/.secrets/age_chezmoi_key"
  recipient = "age1uhsjqq09s8tsq4w2gvz0e0qu0rttj2c40aqct23vxl4gl4mtvyes75tuce"

• chezmoi add --encrypt ~/.gitconfig
• commit && push

Now I am struggling with how to handle chezmoi.toml? On a new machine without that config file chezmoi will not work when running chezmoi apply. Adding the config to the repository is also not working because chezmoi asks for encryption data before applying the config.

Also how do I edit the encrypted secret? When running chezmoi edit it opens my Neovim's netrw and when I open the encrypted gitconfig it is still encrypted. My assumption was that chezmoi edit would decrypt files?

[twpayne]

Use a config file template to create a config file on a new machine automatically. You'll need to copy your age identity file manually.

chezmoi edit does transparently decrypt files for editing and re-encrypt them when you exit your editor. If it's not working as expected you can use the --debug flag to see exactly how chezmoi invokes your editor.

[Allaman]

Thanks @twpayne for your reply

I completely overlooked this part of the documentation...

I missunderstood chezmoi edit in this case. After carefully reading the docs again i noticed that the docs state chezmoi edit $FILE. Using this command decrypts the file. I am used to open my whole dotfiles repo at once so I did not think of specifying a file name explicitly and just ran chezmoi editwithout arguments