yadm-decrypt

Decrypt files

$ yadm decrypt

yadm decrypt [OPTIONS] [PATH...]

-f, --force
    Overwrite existing decrypted files without prompting for confirmation. This can be useful for automated scripts or when you are certain you want to replace any current plain-text versions.

-v, --verbose
    Increase verbosity, providing more detailed output about the decryption process, such as which files are being decrypted and messages from the underlying encryption backend.

--all
    Decrypt all files that are currently marked as encrypted within the yadm repository. This option overrides any specific PATH arguments and ensures all sensitive files are brought into their plain-text state.

[PATH...]
    Optional. Specifies one or more paths to files or directories that yadm should attempt to decrypt. If no paths are provided, yadm-decrypt typically acts on files that are known to be encrypted within the current repository state, or all if --all is used.

yadm-decrypt is a core subcommand of yadm, the powerful dotfiles manager, designed to reverse the encryption applied by yadm-encrypt. It provides a seamless way to access sensitive dotfiles and configurations that are stored in an encrypted state within your yadm repository.

Upon execution, yadm-decrypt intelligently identifies files previously marked for encryption and utilizes the configured backend – typically git-crypt or gpg – to transform their cipher-text back into plain-text content within your working directory. This ensures that while your sensitive information remains secure in version control, it is readily available when needed for your system's operation. The command supports selective decryption of specific files by path, or bulk decryption of all encrypted files, making it a flexible tool for maintaining a secure yet functional dotfile setup. Its integration is vital for managing secrets like API keys or private configurations within a publicly accessible or shared repository.

Decryption Key/Passphrase: For decryption to succeed, the correct decryption key or passphrase must be accessible to the configured encryption backend (either git-crypt or gpg). Without it, files cannot be decrypted.

Backend Installation: The chosen encryption backend must be correctly installed and configured on the system. If the backend is missing or misconfigured, yadm-decrypt will fail.

File State: yadm-decrypt operates only on files that yadm recognizes as encrypted. It cannot decrypt arbitrary files that were not encrypted via yadm.

Security Considerations: While yadm facilitates encryption, the ultimate security relies on the robustness of the underlying backend and the protection of your decryption keys/passphrases.

yadm supports different encryption backends, primarily git-crypt and gpg. The specific backend used for encryption and decryption is configured via the yadm configuration, typically set using yadm config local.encryption.program. yadm-decrypt automatically detects and uses the appropriate backend for the files it's processing.

When specific PATH arguments are provided, yadm-decrypt interprets these paths relative to the root of your yadm repository. This allows for precise control over which encrypted files are targeted for decryption.

yadm (Yet Another Dotfiles Manager) was developed to provide a robust, Git-based solution for managing dotfiles, aiming to overcome limitations of simpler methods like bare Git repositories. The inclusion of encryption capabilities, accessible via commands like yadm-encrypt and yadm-decrypt, addressed a critical need for securely storing sensitive configuration data (e.g., API keys, private credentials) alongside public dotfiles.

This feature leverages established cryptographic tools such as git-crypt and gpg, rather than implementing new encryption algorithms, ensuring strong and tested security. The development focus was on providing a seamless interface within the yadm workflow, allowing users to easily toggle the encrypted state of files without manual interaction with the backend tools. This integration has been a key factor in yadm's popularity for securely managing complex dotfile environments.

yadm(1), yadm-encrypt(1), git-crypt(1), gpg(1)