module 07 github publishing

Encrypt sensitive pages

System Text-to-Speech Ready
Slide: 0:00 / 0:00
Slide 1 of 0Interactive Deck

Full Lesson Reference

Anything you publish to a Pages repo is public by default - anyone with the link can see it. For pages with sensitive data (performance metrics, revenue, strategy, internal dashboards, client deliverables), you need password protection. This is called encryption.

If you're in-house, this covers executive dashboards, internal reports, strategy docs. If you're agency/freelance, this covers client deliverables. Same mechanism, different use case.

What encryption does

The encryption system

  1. Takes your source HTML from a public-encrypted/ folder
  2. Encrypts each file with AES-256 using a password derived from a master secret
  3. Outputs encrypted versions to public/ (which is what deploys)
  4. Without the password, visitors see an "access required" page and can't read anything
  5. With the password, the page unlocks and displays normally

Real encryption - not just a hidden layer. The content is genuinely unreadable without the key.

The two-folder pattern

Your Pages repo structure changes slightly

your-pages-repo/ ├── public-encrypted/ ← source HTML (you edit here) │ └── reports/ │ └── client-weekly.html ├── public/ ← encrypted output (auto-generated) │ └── reports/ │ └── client-weekly.html ← encrypted version, this is what deploys └── .env ← your master encryption secret (gitignored)

You ONLY edit files in public-encrypted/. The public/ folder is auto-generated.

Setting up encryption

One-time setup per repo. Tell Claude

Set up encryption in this repo. Create the public-encrypted/ folder structure, generate a master encryption secret, save it to .env, add .env to .gitignore, and set up the encryption script that runs on every commit.

Claude

  1. Creates the folder structure
  2. Generates a random master secret (via openssl)
  3. Saves it to .env (gitignored)
  4. Installs the StatiCrypt encryption tool
  5. Creates a pre-commit hook that encrypts automatically on every commit

You never have to run the encrypt command manually. Every commit encrypts.

How passwords work

One master secret → many unique passwords. The system uses HMAC-SHA256 to generate a unique password per file:

  • Same master secret + same file path = same password every time (consistent)
  • Different file path = different password (each file unlocked separately) This means you can tell one client the password for their report without accidentally giving them access to another client's content on the same domain.

Seeing passwords for files

Show me the passwords for all files in my public-encrypted folder.

Claude derives each password from your master secret + file path. Gives you the password list without needing to re-encrypt.

You copy the password for the specific file you're sharing with a specific client.

Client experience

Client clicks your URL. They see

  • A branded "Access Required" page
  • Password input field
  • "Keep me signed in" checkbox

They enter the password you gave them, the page loads, they read the report. Browser remembers the password if they tick "keep me signed in" - they don't have to re-enter on their next visit.

What to encrypt vs leave public

Encrypt

  • Performance reports (revenue, ROAS, conversion rates, spend)

  • Internal dashboards your team uses daily

  • Executive updates + board reports

  • Strategy documents

  • Audit findings (internal or client)

  • Proposals with pricing

  • Campaign briefs with competitive intel

  • Anything you wouldn't want a competitor or the public to see Leave public

  • Your personal portfolio

  • Marketing materials for your own services

  • Public case studies (with any sensitive numbers redacted)

  • Training materials + how-to content

  • Landing pages meant for everyone to see

If you lose the .env

The .env file contains your master secret. Lose it = all your file passwords change on next encryption. Anyone with access to your pages would need new passwords.

This is why .env is gitignored - to keep it off GitHub - but you should also back it up:

  • Save the master secret value in your password manager
  • OR sync your Pages repo folder to Dropbox/iCloud so .env is backed up alongside it

If you do lose it: tell Claude "the .env was lost, re-encrypt everything with a new master secret and give me the new password list". Then share the new passwords with whoever needs them (team, clients, stakeholders).

Sharing the passwords

How you share depends on who sees the page

  • Internal team - share the derived page password in Slack / Notion / wherever your team already communicates. Consider one shared password per workspace for convenience.
  • External stakeholders (clients, board members, partners) - share the password separately from the URL. Email the URL, DM the password. Never put both in the same message.
  • One-off viewers - generate a throwaway password, share, expire the content after the viewing window. Action items

☐ Tell Claude to set up encryption in your Pages repo (one-time)

☐ Back up the generated master secret to your password manager

☐ Test: build a report, commit, confirm it encrypts automatically, confirm the URL needs a password

☐ Know how to retrieve the password for any file via Claude

☐ Decide your encrypt vs public rules - write them into your Pages repo's CLAUDE.md

Next lesson: Keeping your repos clean.

Exercises

  1. Review the concepts covered in this lesson: Encrypt sensitive pages.
  2. Write down your key takeaway from this lesson.
  3. Practice running any commands or prompts mentioned above inside your terminal.