pluralsh · maciaszczykm · Feb 11, 2026 · Feb 6, 2026 · Feb 6, 2026 · Feb 6, 2026
@@ -148,7 +148,7 @@ func (p *Plural) backupCommands() []cli.Command {
 		{
 			Name:   "create",
 			Usage:  "creates a backup for your current key",
-			Action: common.Affirmed(p.createBackup, common.BackupMsg, "PLURAL_BACKUPS_CREATE"),
+			Action: common.Affirmed(p.createBackup, "Would you like to back up your repo encryption key to plural?  If you chose to manage it yourself, you can find it at ~/.plural/key", "PLURAL_BACKUPS_CREATE"),
 		},
 		{
 			Name:      "restore",
@@ -159,7 +159,7 @@ func (p *Plural) backupCommands() []cli.Command {
 	}
 }
 
-func handleEncrypt(c *cli.Context) error {
+func handleEncrypt(_ *cli.Context) error {
 	data, err := io.ReadAll(os.Stdin)
 	if bytes.HasPrefix(data, prefix) {
 		_, err := os.Stdout.Write(data)
@@ -237,27 +237,6 @@ func handleDecrypt(c *cli.Context) error {
 	return nil
 }
 
-// CheckGitCrypt method checks if the .gitattributes and .gitignore files exist and have desired content.
-// Some old repos can have fewer files to encrypt and must be updated.
-func CheckGitCrypt(c *cli.Context) error {
-	if !utils.Exists(common.GitAttributesFile) || !utils.Exists(common.GitIgnoreFile) {
-		return common.CryptoInit(c)
-	}
-	toCompare := map[string]string{common.GitAttributesFile: common.Gitattributes, common.GitIgnoreFile: common.Gitignore}
-
-	for file, content := range toCompare {
-		equal, err := utils.CompareFileContent(file, content)
-		if err != nil {
-			return err
-		}
-		if !equal {
-			return common.CryptoInit(c)
-		}
-	}
-
-	return nil
-}
-
 func (p *Plural) handleCryptoShare(c *cli.Context) error {
 	p.InitPluralClient()
 	emails := c.StringSlice("email")
@@ -284,7 +263,7 @@ func (p *Plural) handleSetupKeys(c *cli.Context) error {
 	return nil
 }
 
-func exportKey(c *cli.Context) error {
+func exportKey(_ *cli.Context) error {
 	key, err := crypto.Materialize()
 	if err != nil {
 		return err
@@ -300,7 +279,7 @@ func exportKey(c *cli.Context) error {
 	return nil
 }
 
-func importKey(c *cli.Context) error {
+func importKey(_ *cli.Context) error {
 	data, err := io.ReadAll(os.Stdin)
 	if err != nil {
 		return err
@@ -331,7 +310,7 @@ func randString(c *cli.Context) error {
 	return nil
 }
 
-func handleKeygen(c *cli.Context) error {
+func handleKeygen(_ *cli.Context) error {
 	path, err := homedir.Expand("~/.ssh")
 	if err != nil {
 		return err
@@ -369,7 +348,7 @@ func handleKeygen(c *cli.Context) error {
 	return nil
 }
 
-func (p *Plural) handleRecover(c *cli.Context) error {
+func (p *Plural) handleRecover(_ *cli.Context) error {
 	if err := p.InitKube(); err != nil {
 		return err
 	}
@@ -398,7 +377,7 @@ func (p *Plural) handleRecover(c *cli.Context) error {
 	return nil
 }
 
-func (p *Plural) listBackups(c *cli.Context) error {
+func (p *Plural) listBackups(_ *cli.Context) error {
 	p.InitPluralClient()
 
 	backups, err := p.ListKeyBackups()
@@ -412,7 +391,7 @@ func (p *Plural) listBackups(c *cli.Context) error {
 	})
 }
 
-func (p *Plural) createBackup(c *cli.Context) error {
+func (p *Plural) createBackup(_ *cli.Context) error {
 	p.InitPluralClient()
 	return crypto.BackupKey(p.Client)
 }

@@ -6,7 +6,6 @@ import (
 	"path"
 	"testing"
 
-	"github.com/pluralsh/plural-cli/cmd/command/crypto"
 	pluralclient "github.com/pluralsh/plural-cli/pkg/client"
 	"github.com/pluralsh/plural-cli/pkg/common"
 
@@ -15,11 +14,9 @@ import (
 	"github.com/pluralsh/plural-cli/pkg/config"
 	pluraltest "github.com/pluralsh/plural-cli/pkg/test"
 	"github.com/pluralsh/plural-cli/pkg/test/mocks"
-	"github.com/pluralsh/plural-cli/pkg/utils"
 	"github.com/pluralsh/plural-cli/pkg/utils/git"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
-	"github.com/urfave/cli"
 	v1 "k8s.io/api/core/v1"
 )
 
@@ -261,76 +258,6 @@ func TestRecover(t *testing.T) {
 	}
 }
 
-func TestCheckGitCrypt(t *testing.T) {
-	tests := []struct {
-		name        string
-		createFiles bool
-	}{
-		{
-			name: "test when .gitattributes and .gitignore don't exist",
-		},
-		{
-			name:        "test when .gitattributes and .gitignore exist with the wrong content",
-			createFiles: true,
-		},
-	}
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			// create temp environment
-			currentDir, err := os.Getwd()
-			assert.NoError(t, err)
-			dir, err := os.MkdirTemp("", "config")
-			assert.NoError(t, err)
-			defer func(path, currentDir string) {
-				_ = os.RemoveAll(path)
-				_ = os.Chdir(currentDir)
-			}(dir, currentDir)
-			os.Setenv("HOME", dir)
-			defer os.Unsetenv("HOME")
-			defaultConfig := pluraltest.GenDefaultConfig()
-			err = defaultConfig.Save(config.ConfigName)
-			assert.NoError(t, err)
-			err = os.WriteFile(path.Join(dir, ".plural", "key"), []byte("key: abc"), 0644)
-			assert.NoError(t, err)
-
-			err = os.Chdir(dir)
-			assert.NoError(t, err)
-			_, err = git.Init()
-			assert.NoError(t, err)
-
-			gitAttributes := path.Join(dir, common.GitAttributesFile)
-			gitIgnore := path.Join(dir, common.GitIgnoreFile)
-
-			if test.createFiles {
-				err = utils.WriteFile(gitIgnore, []byte(common.Gitignore+"some extra"))
-				assert.NoError(t, err)
-				err = utils.WriteFile(gitAttributes, []byte(common.Gitattributes+"abc"))
-				assert.NoError(t, err)
-			}
-
-			// test CheckGitCrypt
-			err = crypto.CheckGitCrypt(&cli.Context{})
-			assert.NoError(t, err)
-
-			// the files should exist
-			assert.True(t, utils.Exists(gitAttributes), ".gitattributes should exist")
-			assert.True(t, utils.Exists(gitIgnore), ".gitignore should exist")
-
-			attributes, err := utils.ReadFile(gitAttributes)
-			assert.NoError(t, err)
-			if !test.createFiles {
-				assert.Equal(t, attributes, common.Gitattributes)
-			}
-
-			ignore, err := utils.ReadFile(gitIgnore)
-			assert.NoError(t, err)
-			if !test.createFiles {
-				assert.Equal(t, ignore, common.Gitignore)
-			}
-		})
-	}
-}
-
 func TestCheckKeyFingerprint(t *testing.T) {
 	tests := []struct {
 		name string

@@ -1,17 +1,13 @@
 package up
 
 import (
-	"encoding/base64"
 	"fmt"
 	"strings"
 
-	"github.com/pluralsh/gqlclient"
 	"github.com/pluralsh/plural-cli/pkg/console"
-	"github.com/pluralsh/plural-cli/pkg/crypto"
-	"github.com/samber/lo"
 )
 
-func (p *Plural) backfillEncryption() error {
+func (p *Plural) ValidateConsoleConfig() error {
 	instances, err := p.GetConsoleInstances()
 	if err != nil {
 		return err
@@ -29,25 +25,10 @@ func (p *Plural) backfillEncryption() error {
 			id = inst.ID
 		}
 	}
+
 	if id == "" {
 		return fmt.Errorf("your configuration doesn't match to any existing Plural Console")
 	}
 
-	prov, err := crypto.Build()
-	if err != nil {
-		return err
-	}
-
-	raw, err := prov.SymmetricKey()
-	if err != nil {
-		return err
-	}
-
-	encoded := base64.StdEncoding.EncodeToString(raw)
-
-	return p.UpdateConsoleInstance(id, gqlclient.ConsoleInstanceUpdateAttributes{
-		Configuration: &gqlclient.ConsoleConfigurationUpdateAttributes{
-			EncryptionKey: lo.ToPtr(encoded),
-		},
-	})
+	return nil
 }
@@ -99,7 +99,7 @@ func (p *Plural) handleUp(c *cli.Context) error {
 			return err
 		}
 
-		if err := p.backfillEncryption(); err != nil {
+		if err := p.ValidateConsoleConfig(); err != nil {
 			return err
 		}
 	}

@@ -108,7 +108,6 @@ export PLURAL_REPOS_RESET_CONFIRM=true
 
 export PLURAL_LOGIN_AFFIRM_CURRENT_USER=true
 export PLURAL_INIT_AFFIRM_CURRENT_REPO=true
-export PLURAL_INIT_AFFIRM_BACKUP_KEY=false
 
 export PLURAL_DISABLE_MP_TABLE_VIEW=true
 

@@ -15,7 +15,6 @@ import (
 	"github.com/urfave/cli"
 
 	"github.com/pluralsh/plural-cli/pkg/common"
-	"github.com/pluralsh/plural-cli/pkg/crypto"
 	"github.com/pluralsh/plural-cli/pkg/scm"
 	"github.com/pluralsh/plural-cli/pkg/wkspace"
 
@@ -118,11 +117,7 @@ func (p *Plural) HandleInitWithProject(c *cli.Context) (*manifest.ProjectManifes
 	}
 
 	if utils.Exists("./workspace.yaml") {
-		project, err := p.ensureWorkspace(c)
-		if err != nil {
-			return nil, err
-		}
-		return project, nil
+		return p.ensureWorkspace()
 	}
 
 	if err := common.HandleLogin(c); err != nil {
@@ -152,21 +147,12 @@ func (p *Plural) HandleInitWithProject(c *cli.Context) (*manifest.ProjectManifes
 		return nil, fmt.Errorf("you're not in a git repository, either clone one directly or let us set it up for you")
 	}
 
-	// create workspace.yaml when git repository is ready
+	// Create workspace.yaml when the Git repository is ready.
 	if err := prov.Flush(); err != nil {
 		return nil, err
 	}
-	if err := common.CryptoInit(c); err != nil {
-		return nil, err
-	}
 
-	if common.Affirm(common.BackupMsg, "PLURAL_INIT_AFFIRM_BACKUP_KEY") {
-		if err := crypto.BackupKey(p.Client); err != nil {
-			return nil, api.GetErrorResponse(err, "BackupKey")
-		}
-	}
-
-	if err := crypto.CreateKeyFingerprintFile(); err != nil {
+	if err = common.EnsureGitIgnore(); err != nil {
 		return nil, err
 	}
 
@@ -179,10 +165,11 @@ func (p *Plural) HandleInitWithProject(c *cli.Context) (*manifest.ProjectManifes
 	if gitCreated {
 		utils.Highlight("Be sure to `cd %s` to use your configured git repo\n", repo)
 	}
+
 	return project, nil
 }
 
-func (p *Plural) ensureWorkspace(c *cli.Context) (*manifest.ProjectManifest, error) {
+func (p *Plural) ensureWorkspace() (*manifest.ProjectManifest, error) {
 	utils.Highlight("Found workspace.yaml, skipping init as this repo has already been initialized\n")
 	utils.Highlight("Checking domain...\n")
 	proj, err := manifest.FetchProject()
@@ -210,9 +197,10 @@ func (p *Plural) ensureWorkspace(c *cli.Context) (*manifest.ProjectManifest, err
 		return nil, err
 	}
 
-	if err := common.CryptoInit(c); err != nil {
+	if err = common.EnsureGitIgnore(); err != nil {
 		return nil, err
 	}
+
 	return proj, nil
 }
 

@@ -2,8 +2,6 @@ package common
 
 import "fmt"
 
-const BackupMsg = "Would you like to back up your repo encryption key to plural?  If you chose to manage it yourself, you can find it at ~/.plural/key"
-
 const (
 	AffirmUp   = "Are you ready to set up your initial management cluster?  You can check the generated terraform/helm to confirm everything looks good first"
 	AffirmDown = "Are you ready to destroy your plural infrastructure?  This wil destroy your management cluster, and any data stored within"

@@ -23,6 +23,14 @@ helm-values/*.yaml filter=plural-crypt diff=plural-crypt
 .gitattributes !filter !diff
 `
 
+func EnsureGitAttributes() error {
+	if utils.Exists(GitAttributesFile) {
+		return nil
+	}
+
+	return utils.WriteFile(GitAttributesFile, []byte(Gitattributes))
+}
+
 const Gitignore = `/**/.terraform
 /**/.terraform*
 /**/terraform.tfstate*
@@ -34,9 +42,18 @@ const Gitignore = `/**/.terraform
 .DS_STORE
 .vscode
 context.yaml*
+temp
 `
 
-func CryptoInit(c *cli.Context) error {
+func EnsureGitIgnore() error {
+	if utils.Exists(GitIgnoreFile) {
+		return nil
+	}
+
+	return utils.WriteFile(GitIgnoreFile, []byte(Gitignore))
+}
+
+func CryptoInit(_ *cli.Context) error {
 	encryptConfig := [][]string{
 		{"filter.plural-crypt.smudge", "plural crypto decrypt"},
 		{"filter.plural-crypt.clean", "plural crypto encrypt"},
@@ -51,16 +68,12 @@ func CryptoInit(c *cli.Context) error {
 		}
 	}
 
-	if !utils.Exists(GitAttributesFile) {
-		if err := utils.WriteFile(GitAttributesFile, []byte(Gitattributes)); err != nil {
-			return err
-		}
+	if err := EnsureGitAttributes(); err != nil {
+		return err
 	}
 
-	if !utils.Exists(GitIgnoreFile) {
-		if err := utils.WriteFile(GitIgnoreFile, []byte(Gitignore)); err != nil {
-			return err
-		}
+	if err := EnsureGitIgnore(); err != nil {
+		return err
 	}
 
 	_, err := crypto.Build()