Abstract
In some cases you want to securely share secrets with other teammates. Furthermore you want to have a history of those secrets.
For this purpose Git crypt helps you to handle secrets within your git repository.
git-crypt enables transparent encryption and decryption of files in a git repository. Files which you choose to protect are encrypted when committed, and decrypted when checked out. git-crypt lets you freely share a repository containing a mix of public and private content.
Some features
- No accidentaly push secrets in clear text
- Possible to Share credentials
- Put credentials into version control
Installation
First we need to install git-crypt
We need make
for the installation.
Please clone the repo and use the following commands.
Please cd
in a temporary directory first.
git clone git@github.com:AGWA/git-crypt.git
cd git-crypt
make
make install
Remarks
- for details please check install instructions to install git-crpyt.
- For users with docker knowledge: have prepared a docker image where git-secret is already installed.
docker run -v <local_git_repo>:/home/git-secrets/ andyaugustin/git-secrets:main git-crypt
Setup
GPG
We need a key-pair (maybe in reality it is already created for your mail adress)
Use the mail adress which is added to your git user
First we want to check those settings
$ git config --global user.email
john.doe@dummy.fake
$ git config --global user.name
John Doe
keep those entries in your mind or write them down :evil_imp:
Now we want to generate the gpg key.
Type in the name and mail you just received.
gpg --gen-key
git-crypt
We need to have a git repository available. Please create a repository with name git-crypt-test in your favourite Git provider (e.q. GitHub, GitLab, Gitea, ...).
Please clone the repository and cd
into it.
git clone <use_your_repo_url>/git-crypt-test
cd git-crypt-test
Now we need to init git-crypt
git-crypt init
Now we want to specify files we want to monitor and handle with git-crypt
That is easy. Therefore we just need to add a .gitattributes file with the files we want to encrypt.
echo "secretfile filter=git-crypt diff=git-crypt\n*.key filter=git-crypt diff=git-crypt\nsecretdir/** filter=git-crypt diff=git-crypt" >> .gitattributes
The content of the .gitattributes file should look now
secretfile filter=git-crypt diff=git-crypt
*.key filter=git-crypt diff=git-crypt
secretdir/** filter=git-crypt diff=git-crypt
This is like a .gitignore file and has the following content.
- handle all files with name secretfile with git-crypt
- handle all files with extension *.key with git-crypt
- handle all files within directory secretdir/ with git-crypt
Now we add our git user to the secrets. Therefore we need to get the id of our gpg key.
gpg --list-key $(git config --global user.email)
(The id is at pub between / and the date).
Copy it to any text editor.
Now we add the key to the keyring of the local git repository database.
Please replace with the id you copied to the text editor.
git-crypt add-gpg-user <USER_ID>
Now we add a file for encryption.
echo "This file will be encrypted" >> to_encrypt.key
and commit our changes
git add .
git commit -m "add file to encrypt :lock:"
Now lock the file and check it
git-crypt lock
just check the file
cat to_encrypt.key
it is encrypted. For unlocking type
git-crypt unlock
Check the file again
cat to_encrypt.key
The nice thing is that it is not possible to push the unencrypted file to git repo.
Lets test it.
git add .
git commit -m "add encrypted file"
git push
Check the file in your favourite git provider. You can see that it is encrypted.
Add users to git-crypt database
To add a user to git-crypt you need the public gpg file.
Just tell the other users to use the following command
gpg --armor --output public-key.gpg --export <key_mail_address>
Import the key file into your gpg keyring and add trust level ultimate
gpg --import public-key.gpg
# get the id of the imported key
gpg --list-key <key_mail_address>
gpg --edit-key <key_id>
trust
# We need ultimate trust, so choose 5
save
now you are able to add the user as before with
# the user_id is the id of the user in your public key_ring
git-crypt add-gpg-user <USER_ID>
Now the other user is able to decrypt the file with git-crypt in the git repository ๐
Top comments (0)