Skip to main content

Get started using secrets

Secrets are stored in AWS Secrets Manager. You will need to be on-boarded to GovWifi’s AWS Staging and Production accounts in order to access these secrets.

Secrets Manager

Once you have access to the AWS console, navigate to the Secrets Manager service in AWS.

The relevant credentials are listed in the following format: <service>/<item>.

Previous credential configuration

Historically, secrets were stored in govwifi-build and were encrypted using GPG.

We maintain this documentation for some remaining sensitive data which aren’t critical to our Terraform or applications.

All shell commands assume you are running from within the govwifi-terraform repository since the govwifi-build repository is cloned in the .private directory of govwifi-terraform.


To use these secrets, you will need the Password Store tool installed on your machine.

You will also need an implementation of gpg installed. This will be installable under the name gnupg:

apt/brew/dnf/rpm/yum install gnupg

Getting access

Once you have installed the tools, you will need someone to re-encrypt the secrets with your public key.

Give someone your full key ID:

gpg --list-keys '<name>'

An example of a key ID is: 06D20CF70AC370DE72F49EDC992939FDD5C5144C

Please also ensure your public key is on a well known keyserver:

We suggest and, as they are known to be reliable.

gpg --keyserver --send-keys '<your key ID>'
gpg --keyserver --send-keys '<your key ID>'

Giving Access

The new joiner must first send their GPG key ID to a current member of the team.

Once the key is received, all team members must use the receive-keys option to accept it and provide the key with ultimate trust:

key_id='<their key ID>'
gpg --keyserver --receive-keys "$key_id"
echo "${key_id}:6" | gpg --import-ownertrust

To on-board the new GPG key, navigate to the .private directory in the govwifi-terraform project.

Checkout a new branch in .private:

$ git checkout -b onboarding_<NAME>_GPG_key

Append the new key to the .private/passwords/.gpg-id file:

echo "$key_id" >> '.private/passwords/.gpg-id'

Change directory to the root project (govwifi-terraform/), then re-encrypt the passwords from within the govwifi-terraform repo:

make rencrypt-passwords

Note: make commands can only be run from the root project directory.

Once the secrets have been re-encrypted, use git to commit and push the changes in the .private directory.

Raise a PR in the govwifi-build repo on Github. Ask another team member to test the encryption has worked by checking out the PR branch and testing they can decrypt the files using gpg -d.

New members

New members must import all the existing gpg keys that are stored.

To do this read in all the keys in passwords/.gpg-id and import them:

$ gpg --keyserver --receive-keys <key_id> && gpg --import-ownertrust

Getting a secret

Throughout the documentation there will be references to specific secrets stored within the password store.

To read individual secrets, run the command:

PASSWORD_STORE_DIR=<password_store_dir> pass show <secret_name>


  1. <password_store_dir> is the path of the passwords directory of the govwifi-build repository on your local machine.

  2. <secret_name> is the path of the secret that you want to display. You can omit this to get a list of all secret paths.

For example, if you want to access the Staging Bastion SSH Key:

PASSWORD_STORE_DIR=.private/passwords pass show keys/govwifi-staging-bastion-key

Adding/Editing a secret

Use pass to edit your file for ease - you can be anywhere when you do this - the is the dir/file path from the

PASSWORD_STORE_DIR=<password_store_dir> pass edit <secret_name>


PASSWORD_STORE_DIR=~/govwifi-build/passwords pass edit your_secret.txt

Make your changes and save them. They will be re-encrypted automatically if all your gpg keys are up to date.

This page was last reviewed on 24 November 2022. It needs to be reviewed again on 24 May 2023 by the page owner #govwifi .
This page was set to be reviewed before 24 May 2023 by the page owner #govwifi. This might mean the content is out of date.