encrypted_ attribute and are automatically decrypted when needed.
Adding Encrypted Files
Add files to be encrypted with the--encrypt flag:
~/.local/share/chezmoi).
Editing Encrypted Files
chezmoi edit will transparently decrypt the file before editing and re-encrypt it afterwards:
Template Functions
chezmoi provides template functions for encrypting and decrypting data within templates:encrypt
Encrypts plaintext data using your configured encryption method:
decrypt
Decrypts ciphertext data:
Supported Encryption Methods
chezmoi supports several encryption methods:age
Modern encryption tool with simple key management
gpg
Traditional GPG/PGP encryption with asymmetric keys
Choosing an Encryption Method
Configure your preferred encryption method in~/.config/chezmoi/chezmoi.toml:
How It Works
When you add an encrypted file:- chezmoi encrypts the file content using your configured encryption method
- The encrypted content is stored with the
encrypted_prefix in the filename - When applying your dotfiles, chezmoi automatically decrypts the file
- The decrypted content is written to the target location
Best Practices
- Keep your keys secure: Store encryption keys outside of your chezmoi source directory
- Use different keys per machine: For sensitive environments, use machine-specific encryption keys
- Test decryption: Verify you can decrypt files before removing the originals
- Backup your keys: Without your encryption keys, your encrypted files cannot be recovered
Common Use Cases
SSH Keys
API Tokens
Store API tokens in an encrypted file:Certificates
Next Steps
Configure age
Set up modern encryption with age
Configure GPG
Set up traditional GPG encryption