Removing sensitive data from your Git history with BFG

Here's how to remove sensitive data, like certificate files or passwords in your files, from your git repo and history with BFG Repo-Cleaner.

1. Remove the sensitive files and secrets from your code and commit changes

Note that, by default, BFG doesn't modify the contents of your latest commit. So, remove the sensitive files and secrets from your code, commit the changes and ensure that your latest commit is clean with none of the undesired data in it before proceeding.

2. Install BFG

You can download a JAR from the site. If you're on Mac, brew install bfg should suffice.

3. Clone a fresh copy of your repo, using the --mirror flag:

# Example
$ git clone --mirror git://example.com/my-repo.git

4. Clean sensitive files

Use --delete-files to nuke files in your repo history.

# Examples
$ bfg --delete-files certificate.p12 my-repo.git
$ bfg --delete-files keystore.jks my-repo.git
$ bfg --delete-files id_{dsa,rsa} my-repo.git
$ bfg --delete-files *.{txt,log} my-repo.git

Note that the specified name matches on file name, not on path within repo. So $ bfg --delete-files path/to/certificate.p12 my-repo.git won't work.

5. Clean sensitive strings

Use --replace-text to clean strings from your repo history. Each string will be rewritten as "***REMOVED***" by default. This is a two-step process.

5.1. Create a file with a new line for each string you want to remove

Create a simple text file however you'd like.

# Example
echo "password123" >> passwords.txt
echo "123password" >> passwords.txt

5.2. Run the command

Run bfg --replace-text referencing the file you just created.

# Example
$ bfg --replace-text passwords.txt my-repo.git

6. Take a look at your new history

Enter the folder of the git repo and make sure your history has been updated.

# Example
$ cd my-repo.git

# Use git commands to examine the history
$ git log
$ git show HEAD
$ git show HEAD~1
$ git show d89bb58

(You won't see the physical files of your working tree if you list files in this directory, since we did a bare/mirror clone, in case you were wondering.)

7. Strip out the unwanted dirty data

Once satisfied with the state of the history, clean up those sensitive files, which git now considers unnecessary.

$ git reflog expire --expire=now --all && git gc --prune=now --aggressive

8. Push

Finally, once you're happy with the updated state of your repo, push it back up and you're done!

$ git push

If you're with a team have everyone ditch their old copies of the repo and do fresh clones.

Thanks for following along. Cheers!