Add support for gpg symmetric encryption

README.md

@@ -20,6 +20,7 @@ Manage your dotfiles across multiple machines, securely.
 * [Quick start guide](docs/QUICKSTART.md) for your first steps.
 * [How-to guide](docs/HOWTO.md) for achieving specific tasks.
 * [FAQ](docs/FAQ.md) for questions that aren't answered elsewhere.
+* [Changes](docs/CHANGES.md) for non-backwards compatible changes.
 * [Reference](docs/REFERENCE.md) for a complete description of chezmoi.
 
 ## What does chezmoi do and why should I use it?

cmd/config.go

@@ -41,6 +41,7 @@ type Config struct {
 	DryRun            bool
 	Verbose           bool
 	Color             string
+	GPG               chezmoi.GPG
 	GPGRecipient      string
 	SourceVCS         sourceVCSConfig
 	Merge             mergeConfig
@@ -259,10 +260,11 @@ func (c *Config) getTargetState(fs vfs.FS) (*chezmoi.TargetState, error) {
 	for key, value := range c.Data {
 		data[key] = value
 	}
-	gpg := &chezmoi.GPG{
-		Recipient: c.GPGRecipient,
+	// For backwards compatibility, prioritize gpgRecipient over gpg.recipient.
+	if c.GPGRecipient != "" {
+		c.GPG.Recipient = c.GPGRecipient
 	}
-	ts := chezmoi.NewTargetState(c.DestDir, os.FileMode(c.Umask), c.SourceDir, data, c.templateFuncs, gpg)
+	ts := chezmoi.NewTargetState(c.DestDir, os.FileMode(c.Umask), c.SourceDir, data, c.templateFuncs, &c.GPG)
 	readOnlyFS := vfs.NewReadOnlyFS(fs)
 	if err := ts.Populate(readOnlyFS); err != nil {
 		return nil, err

docs/CHANGES.md

@@ -0,0 +1,20 @@
+# chezmoi Changes
+
+* [Upcoming](#upcoming)
+  * [`gpgRecipient` config variable changing to `gpg.recipient`](#gpgrecipient-config-variable-changing-to-gpgrecipient)
+
+## Upcoming
+
+### `gpgRecipient` config variable changing to `gpg.recipient`
+
+The `gpgRecipient` config varaible is changing to `gpg.recipient`. To update,
+change your config from:
+
+    gpgRecipient = "..."
+
+to:
+
+    [gpg]
+      recipient = "..."
+
+Support for the `gpgRecipient` config variable will be removed in version 2.0.0.

docs/HOWTO.md

@@ -216,23 +216,46 @@ function in your config files, for example:
 
 ### Use gpg to keep your secrets
 
-chezmoi supports encrypting individual files with [gpg](https://www.gnupg.org/).
+chezmoi supports encrypting files with [gpg](https://www.gnupg.org/). Encrypted
+files are stored in the source state and automatically be decrypted when
+generating the target state or printing a file's contents with `chezmoi cat`.
+`chezmoi edit` will transparently decrypt the file before editing and re-encrypt
+it afterwards.
+
+#### Asymmetric (private/public-key) encryption
+
 Specify the encryption key to use in your configuration file (`chezmoi.toml`)
-with the `gpgRecipient` key:
+with the `gpg.recipient` key:
 
-    gpgRecipient = "..."
+    [gpg]
+      recipient = "..."
 
 Add files to be encrypted with the `--encrypt` flag, for example:
 
     chezmoi add --encrypt ~/.ssh/id_rsa
 
-chezmoi will encrypt the file with
+chezmoi will encrypt the file with:
 
-    gpg --armor --recipient $gpgRecipient --encrypt
+    gpg --armor --recipient ${gpg.recipient} --encrypt
 
 and store the encrypted file in the source state. The file will automatically be
 decrypted when generating the target state.
 
+#### Symmetric encryption
+
+Specify symmetric encryption in your configuration file:
+
+    [gpg]
+      symmetric = true
+
+Add files to be encrypted with the `--encrypt` flag, for example:
+
+    chezmoi add --encrypt ~/.ssh/id_rsa
+
+chezmoi will encrypt the file with:
+
+    gpg --armor --symmetric
+
 ### Use KeePassXC to keep your secrets
 
 chezmoi includes support for [KeePassXC](https://keepassxc.org) using the

docs/REFERENCE.md

@@ -149,7 +149,8 @@ The following configuration variables are available:
 | `destDir`               | string   | `~`                       | Destination directory               |
 | `dryRun`                | boolean  | `false`                   | Dry run mode                        |
 | `genericSecret.command` | string   | none                      | Generic secret command              |
-| `gpgRecipient`          | string   | none                      | GPG recipient                       |
+| `gpg.recipient`         | string   | none                      | GPG recipient                       |
+| `gpg.symmetric`         | bool     | false                     | Use symmetric GPG encryption        |
 | `keepassxc.args`        | []string | none                      | Extra args to KeePassXC CLI command |
 | `keepassxc.command`     | string   | `keepassxc-cli`           | KeePassXC CLI command               |
 | `keepassxc.database`    | string   | none                      | KeePassXC database                  |

lib/chezmoi/gpg.go

@@ -10,6 +10,7 @@ import (
 // GPG interfaces with gpg.
 type GPG struct {
 	Recipient string
+	Symmetric bool
 }
 
 // Decrypt decrypts ciphertext. filename is used as a hint for naming temporary
@@ -63,10 +64,15 @@ func (g *GPG) Encrypt(filename string, plaintext []byte) ([]byte, error) {
 		"--output", outputFilename,
 		"--quiet",
 	}
-	if g.Recipient != "" {
-		args = append(args, "--recipient", g.Recipient)
+	if g.Symmetric {
+		args = append(args, "--symmetric")
+	} else {
+		if g.Recipient != "" {
+			args = append(args, "--recipient", g.Recipient)
+		}
+		args = append(args, "--encrypt")
 	}
-	args = append(args, "--encrypt", filename)
+	args = append(args, filename)
 	cmd := exec.Command("gpg", args...)
 	cmd.Stdin = os.Stdin
 	cmd.Stdout = os.Stdout