There’s a known problem in server configuration and deploying, when you have to store your private data such as: database passwords, application secret-keys, OAuth secret keys and so on, outside of the git repository. Even if this repository is private, it is a security risk to just publish them into the world wide web. What are the drawbacks of storing them separately?
- These files are not version controlled. Filenames change, locations change, passwords change from time to time, some new information appears, other is removed. And you can not tell for sure which version of the configuration file was used with each commit.
- When building the automated deployment system there will be one extra step: download and place these secret-configuration files where they need to be. So you have to maintain an extra secure server, where everything is stored.
git-secret solve these problems?
git-secretencrypts files and stores them inside the
gitrepository, so you will have all the changes for every commit.
git-secretdoesn’t require any other deploy operations rather than
git secret reveal, so it will automatically decrypt all the required files.
git-secret is a bash tool to store your private data inside a
git repo. How’s that? Basically, it just encrypts, using
gpg, the tracked files with the public keys of all the users that you trust. So everyone of them can decrypt these files using only their personal secret key. Why deal with all this private-public keys stuff? Well, to make it easier for everyone to manage access rights. There are no passwords that change. When someone is out - just delete his public key, reencrypt the files, and he won’t be able to decrypt secrets anymore.
These steps cover the basic process of using
- Before starting, make sure you have created
gpgRSA key-pair: public and secret key identified by your email address.
git-secretrepository by running
git secret initcommand.
.gitsecret/folder will be created, note that
.gitsecret/folder should not be ignored.
- Add first user to the system by running
git secret tell firstname.lastname@example.org.
- Now it’s time to add files you wish to encrypt inside the
git-secretrepository. It can be done by running
git secret add <filenames...>command. Make sure these files are ignored, otherwise
git-secretwon’t allow you to add them, as these files will be stored unencrypted.
- When done, run
git secret hideall files, which you have added by
git secret addcommand will be encrypted with added public-keys by the
git secret tellcommand. Now it is safe to commit your changes. But. It’s recommended to add
git secret hidecommand to your
pre-commithook, so you won’t miss any changes.
- Now decrypt files with
git secret revealcommand. It will ask you for your password. And you’re done!
I want to add someone to the repository
- Get his
gpgpublic-key. You won’t need their secret key.
- Import this key inside your
gpg --import KEY_NAME
- Now add this person to the
git secret tell email@example.com
- Reencypt the files, now they will be able to decrypt them with their secret key.
Note, that it is possible to add yourself to the system without decrypting existing files. It will be possible to decrypt them after reencrypting them with the new keyring. So, if you don’t want unexpected keys added, make sure to configure some server-side security policy with the
You can configure several things to suit your workflow better. To do so, just set the required variable to the value you need. This can be done in your shell environment file or with the each
These settings are available to be changed:
$SECRETS_GPG_COMMAND- sets the
gpgalternatives, defaults to
gpg. It can be changed to
/usr/local/gpgor any other value. After doing so rerun tests to be sure, that it won’t break anything. Tested to be working with:
$SECRETS_EXTENSION- sets the secret files extension, defaults to
.secret. It can be changed to any valid file extension.
subscribe via RSS