Secrets
=======

A big part to make deployments "single command" is to provide a secure and convenient way to deal with secrets (passwords, certificates, keys).

In addition to overriding top-level component attributes per environment you can also override from encrypted files (also per environment).

This is based on `GnuPG <http://www.gnupg.org/index.de.html>`_ and the
:command:`gpg` binary must be on your path and configured correctly.

Assume the following component and environment:

:file:`components/myapp/component.py`

.. code-block:: python

    class MyApp(Component):

         domain = 'www.example.com'
         password = None

:file:`environments/staging.cfg`

.. code-block:: ini

    [environment]
    branch = staging

    [component:myapp]
    domain = 'staging.example.com'

batou provides a wrapper command to edit secrets for an environment:

.. code-block:: bash

    $ ./batou secrets staging

The :command:`secrets` sub-command expects your :envvar:`EDITOR` 
to be set and will try hard to avoid you accidentally checking in the
unencrypted copy of the secrets file.

The secrets are given as config files, similar to the environment configuration.
They contain one section to control who is allowed to decrypt the file.

Keys can be given by email address or key ID - batou is pretty ignorant of them
and will pass them straight to GnuPG.

.. code-block:: ini

    [batou]
    members = myemail@example.com, AF49DEH3

    [myapp]
    password = verysecret

Interaction with remote deployments
-----------------------------------

Remote machines do not need to have GPG installed and configured: the remote
runner will decrypt the secrets locally and pass them, together with the
environment overrides, through the SSH channel to the remotes.
