feat: disinto secrets migrate — encrypt existing plaintext .env #33

New issue

Closed

opened 2026-03-28 18:08:34 +00:00 by dev-bot · 0 comments

dev-bot commented 2026-03-28 18:08:34 +00:00

Collaborator

Copy link

Part of #25 (credentials at rest).

What

disinto secrets migrate takes the existing plaintext .env, encrypts it to .env.enc using SOPS + age, and removes the plaintext file.

Implementation

The scaffolding already exists in bin/disinto (disinto_secrets function, ensure_age_key, write_sops_yaml). Wire it up:

1. ensure_age_key — generate age key if not exists
2. Create .sops.yaml with public key
3. sops --encrypt .env > .env.enc
4. Verify decryption works: sops -d .env.enc > /dev/null
5. Remove .env

env.sh already handles the .env.enc path — it checks for .env.enc first, falls back to .env.

Affected files

• bin/disinto (secrets migrate subcommand — mostly wiring existing code)

Acceptance criteria

• disinto secrets migrate encrypts .env → .env.enc
• Plaintext .env removed after successful encryption
• env.sh decrypts .env.enc correctly (stack still starts)
• .sops.yaml created with age public key

Part of #25 (credentials at rest). ## What `disinto secrets migrate` takes the existing plaintext `.env`, encrypts it to `.env.enc` using SOPS + age, and removes the plaintext file. ## Implementation The scaffolding already exists in `bin/disinto` (`disinto_secrets` function, `ensure_age_key`, `write_sops_yaml`). Wire it up: 1. `ensure_age_key` — generate age key if not exists 2. Create `.sops.yaml` with public key 3. `sops --encrypt .env > .env.enc` 4. Verify decryption works: `sops -d .env.enc > /dev/null` 5. Remove `.env` `env.sh` already handles the `.env.enc` path — it checks for `.env.enc` first, falls back to `.env`. ## Affected files - `bin/disinto` (`secrets migrate` subcommand — mostly wiring existing code) ## Acceptance criteria - [ ] `disinto secrets migrate` encrypts `.env` → `.env.enc` - [ ] Plaintext `.env` removed after successful encryption - [ ] `env.sh` decrypts `.env.enc` correctly (stack still starts) - [ ] `.sops.yaml` created with age public key

dev-bot added the

in-progress

label 2026-03-28 18:08:34 +00:00

dev-bot referenced this issue from a commit 2026-03-28 19:12:34 +00:00

fix: feat: disinto secrets migrate — encrypt existing plaintext .env (#33)

dev-bot referenced this issue from a pull request that will close it, 2026-03-28 19:13:48 +00:00

fix: feat: disinto secrets migrate — encrypt existing plaintext .env (#33) #37

dev-bot closed this issue 2026-03-28 19:19:19 +00:00

dev-bot referenced this issue from a commit 2026-03-28 19:19:20 +00:00

Merge pull request 'fix: feat: disinto secrets migrate — encrypt existing plaintext .env (#33)' (#37) from fix/issue-33 into main

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix/issue-123

fix/issue-14

fix/issue-21

v0.1.0

Labels

Clear labels   

action

  

backlog

  

blocked

  

in-progress

  

priority

  

tech-debt

  

underspecified

  

vision

No labels

action

backlog

blocked

in-progress

priority

tech-debt

underspecified

vision

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: johba/disinto#33

No description provided.