yadm-encrypt

Encrypt files listed in the designated encrypt file

$ yadm encrypt

$ touch [path/to/encrypt_file] && mkdir [path/to/archive_folder]

yadm encrypt [-r recipient]… [-p passphrase] [--recipients-file file] [pathspec …]

-r, --recipient RECIPIENT
    Encrypt for specified GPG recipient(s); multiple allowed. Overrides config.

-p, --passphrase PASSPHRASE
    Use passphrase for symmetric encryption (stdin if -). Insecure for scripts.

--recipients-file FILE
    Read GPG recipients from FILE (one per line). Overrides config.

The yadm encrypt subcommand securely encrypts files in a yadm-managed dotfile repository, enabling safe storage and sharing of sensitive data like API keys or passwords in Git. It supports two backends: GnuPG (GPG) for asymmetric encryption and age for modern key-based encryption.

yadm determines the backend via configuration variables such as yadm.gpg-recipient, yadm.gpg-recipients-file, or yadm.age-key. Upon execution, it replaces specified plaintext files with encrypted versions, appending .gpg or .age extensions, and deletes the originals. Encrypted files are git-compatible and can be decrypted later with yadm decrypt.

This workflow keeps secrets encrypted in the repository while allowing decryption on target machines with access to keys or passphrases. Ideal for multi-machine dotfile syncing without exposing plaintext. Always verify decryption before committing.

Plaintext files are permanently deleted post-encryption; test yadm decrypt first. Requires GPG or age installed and configured. Passphrase mode unsuitable for automation due to security risks. Pathspecs must be repo-relative.

Relies on yadm.gpg-recipient, yadm.gpg-recipients-file, yadm.age-key, or yadm.age-identity for defaults.

GPG if yadm.gpg-* vars set; age otherwise if available.

Introduced in early yadm versions (~2017) for GPG; age support added in yadm 3.0 (2020) by Trent Alexander, enhancing cross-platform secret management.

yadm(1), yadm-decrypt(1), gpg(1), age(1)