RECOMMENDATION: Use age instead of gpg.

chezmoi can use various external tools to keep data private. gpg is used by various other tools as well, so chances are that you already have a functional setup on your system. To configure gpg with chezmoi, just set yourself as the recipient like this:

[gpg]
  recipient = "[email protected]"

Calling chezmoi add --encrypt /path/to/secret will now create encrypt the file with your public key which allows you to decrypt them later with your private key.