Configuration management for remote server configs with secrets
Resolved 💬 2 comments Opened Dec 4, 2025 by shepelt Closed Dec 4, 2025
Problem
Managing configuration files on remote servers (e.g., Docker settings.json with API keys) without version control or backups. Need a solution that:
- Provides version history
- Enables backups
- Keeps secrets secure (not exposed in cloud)
Options
1. Git + git-crypt (encrypted secrets in repo)
- Encrypt sensitive files before pushing to remote
- Secrets stay encrypted in repo, decrypted locally with GPG key
- Pros: Full git workflow, safe for cloud, single source of truth
- Cons: Key management, team sharing requires GPG setup
git-crypt init
git-crypt add-gpg-user <key-id>
echo "settings-local.json filter=git-crypt diff=git-crypt" >> .gitattributes
2. Git + SOPS (Mozilla's Secrets OPerationS)
- Encrypts only the values, not keys (easier to diff)
- Supports age, GPG, AWS KMS, GCP KMS, Azure Key Vault
- Pros: Cloud KMS integration, readable diffs, widely adopted
- Cons: More complex setup
3. Git for structure + external secrets manager
- Store config templates with placeholders in git
- Pull secrets from 1Password CLI, HashiCorp Vault, Doppler, or Infisical at deploy time
- Pros: Centralized secret management, audit logs, rotation
- Cons: Runtime dependency, more infrastructure
4. Local git repo + encrypted backup
git initon server for version history- Back up encrypted tarball to NAS/cloud via rclone
- Pros: Simplest, no cloud exposure, works offline
- Cons: Manual backup process, no remote collaboration
5. Chezmoi (dotfile manager)
- Designed for config management across machines
- Built-in age/GPG encryption for secrets
- Pros: Purpose-built, templating support
- Cons: Learning curve, overkill for single-server
Recommendation
For single-server personal use: Option 4 (local git + rclone backup)
For multi-server or team use: Option 2 (SOPS with age encryption)
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗