hugo-encrypt
is a golang port of Hugo Encryptor
hugo-encrypt
is a tool that encrpyts content in your Hugo posts. It uses AES-256-GCM to encrypt the contents of your posts, and inserts the necessary javascript code into the encrypted posts that decrypts the content after the correct passphrase has been entered.
P.S. due to the usage of WebCrypto API, hugo-encrypt only support secure content (ie. HTTPS), so unsecure content cannot call crypto.subtle
to decrypt post.
$ export HUGO_BLOG=/path/to/hugo/blog
Place shortcodes/encrypt.html
and other helper shortcodes provided in the shortcode directory of your blog:
$ mkdir -p $HUGO_BLOG/layouts/shortcodes
$ cp shortcodes/encrypt.* $HUGO_BLOG/layouts/shortcodes
Place required JavaScript assets/js/decrypt.js
in the assets directory of you blog:
$ mkdir -p $HUGO_BLOG/assets/js/
$ cp assets/js/decrypt.js $HUGO_BLOG/assets/js
Merge i18n translation files or add it to an existing language file. Remember to set language in your configuration.
$ cat i18n/en.toml >> $HUGO_BLOG/i18n/en-us.toml
$ cp -r i18n $HUGO_BLOG
Option A: Use prebuilt binary
-
For local usage: Download hugo-encrypt and run it
$ # If not in $PATH, add it first $ export PATH=/path/to/hugo-encrypt:$PATH $ $ hugo $ hugo-encrypt -sitePath $HUGO_BLOG/public
-
For CI/CD usage (Vercel etc.): Customize install command and build command
Install command: curl -L -o hugo-encrypt "https://github.com/BlockG-ws/hugo-encrypt/releases/download/v0.1.0/hugo-encrypt-linux-64" && chmod 755 hugo-encrypt Build command: hugo -D --gc && ./hugo-encrypt
Option B: Build it
-
Requirements: go 1.11+
-
Step 1: Install
hugo-encrypt
.(Optional) set the BINDIR to specify a custom install location (default: /usr/local/bin)
$ # export BINDIR=$HUGO_BLOG $ $ # Then build and install $ $ make $ make install
-
Step 2: Use hugo-encrypt to encrypt content
$ # If not in $PATH, add it first $ export PATH=/path/to/hugo-encrypt:$PATH $ $ hugo $ hugo-encrypt -sitePath $HUGO_BLOG/public
Option C: Use docker
-
Requirements: docker
$ hugo $ docker run -it --rm \ -v $HUGO_BLOG/public:/data/site \ chaosbunker/hugo-encrypt hugo-encrypt -sitePath /data/site`
After generating the site with hugo
and running hugo-encrypt
all the private posts in your public
directory are encrypted and the site can be published.
# hugo.toml
[params.encrypt]
password = "yourpassword"
hugo-encrypt
uses localStorage by default. This means the passphrase is permanently stored in the browser. By adding the encrypt.storage
param in your blog's config file you can set the storage method to sessionStorage.
# hugo.toml
[params.encrypt]
storage = "session" # or "local"
localStorage:
Once a visitor entered the correct passphrase the authorization status will not expire. The visitor can read the article until the passphrase has been changed or the browser cache is cleared.
sessionStorage:
Once a visitor entered the correct passphrase the authorization will expire after the browser is closed.
If no password is specified in the shortcode, the password set in your config file will be used. If no password is set at all, generation of html with hugo
fails.
---
title: "This Is An Encrypted Post"
---
This content is visible to anyone.
{{% encrypt "postspecificpassword" %}}
This content will be encrypted!
{{% /encrypt %}}
Use i18n to display content generated by hugo-Encrypt
in the language of your choice by setting the following param in your config file. Make sure to set the Param DefaultContentLanguage
and add the corresponding language file to the i18n folder.
[params]
DefaultContentLanguage = "en-us"
-
Remember to keep the source files of your encrypted posts private. Never push your blog directory into a public repository as the encryption happens after generating the html files with
hugo
. -
Remember to run
hugo-encrypt
after generating your site withhugo
to encrypt the posts you want to be passphrase-protected. You might want to use a shell script instead ofhugo
to take care of both steps:
#!/bin/bash
hugo --cleanDestinationDir
hugo-encrypt
- To prevent the accidental leaking of sensitive data, pay attention to whether the theme you used will output a summary or full text on the RSS xml file and alike pages.
- If so, check whether the encrypted content exists. In most cases, the content will be replaced by a single fixed sentence in these places.