descriptionsafely store server secrets
last changeThu, 21 Dec 2017 10:53:07 +0000 (10:53 +0000)

regpg - safely store server secrets

The regpg program is a thin wrapper around gpg for looking after secrets that need to be stored encrypted in a version control system (so you don't have to trust the VCS server) and decrypted when your configuration management system deploys them to servers.



If you use regpg, let me know! Send me mail at

If you would like to submit a bug report or a patch, or if you would like more information about regpg's licence, see doc/


For a simple one-file install you can copy the regpg script to a directory on your $PATH.

You can run make install to install the script and man page to the standard places in your home directory. See the start of the Makefile for variables you can set on the command line to adjust the install location.


To use regpg you need the following programs. I've listed the versions that I have tested.

You only need the following programs if you use regpg's helper subcommands.


Download the single-file regpg perl script: and its GPG signature

Download the full source archives and GPG signatures:


You can clone or browse the repository from:


Thanks to Jon Warbrick who gave me the idea for regpg's key management; and David Carter, Ben Harris, Ian Lewis, and David McBride for helpful bug reports and discussions.

Written by Tony Finch
at Cambridge University Information Services.

regpg is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

regpg is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with regpg. If not, see

2017-12-21 Tony Finchregpg: note that gencrt key usage restrictions can... master
2017-12-20 Tony Finchregpg: auto-generate TLS private keys
2017-12-18 Tony Finchregpg-0.99.X
2017-12-18 Tony Finchregpg-0.99 regpg-0.99
2017-12-18 Tony Finchtest: happy path tests for gencrt
2017-12-18 Tony Finchregpg: recommend gencrt always includes full issuer...
2017-12-18 Tony Finchtest: tls.csr.conf -> tls.cnf
2017-12-18 Tony Finchregpg: better handling of X.509v3 extensions
2017-12-15 Tony Finchregpg: improve and simplify gencrt
2017-12-15 Tony Finchregpg: conventional extension for OpenSSL config files...
2017-12-15 Tony Finchregpg: super simple CA support
2017-12-13 Tony Finchansible: use pre-_fixup_perms2() API for every 2.1...
2017-12-13 Tony Finchregpg-0.98.X
2017-12-13 Tony Finchregpg-0.98 regpg-0.98
2017-12-13 Tony Finchansible: port to version 2.1.0 as well
2017-12-13 Tony Finchansible: port to version
4 weeks ago regpg-0.99 regpg-0.99
5 weeks ago regpg-0.98 regpg-0.98
6 weeks ago regpg-0.97 regpg-0.97
6 weeks ago regpg-0.96 regpg-0.96
6 weeks ago regpg-0.95 regpg-0.95
7 weeks ago regpg-0.94 regpg-0.94
8 weeks ago regpg-0.93 regpg-0.93
8 weeks ago regpg-0.92 regpg-0.92
2 months ago regpg-0.91 regpg-0.91
2 months ago regpg-0.88 regpg-0.88
2 months ago regpg-0.80 regpg-0.80
2 months ago regpg-0.79 regpg-0.79
2 months ago regpg-0.78 regpg-0.78
2 months ago regpg-0.77 regpg-0.77
2 months ago regpg-0.73 regpg-0.73
3 months ago regpg-0.69 regpg-0.69
4 weeks ago master