You are here: Home » NewsFeeds » Git-secret – store private data in a Git repo

Git-secret – store private data in a Git repo

{“protip”:{“public_id”:”e-azzg”,”title”:”Store your private data inside a git repository”,”body”:”There’s a known problem in server configuration and deploying, when you have to store your private data such as: database passwords, application secret-keys, OAuth secret keys and so on, outside of the git repository. Even if this repository is private, it is a security risk to just publish them into the world wide web. What are the drawbacks of storing them separately?rnrnThese files are not version controlled. Filenames change, locations change, passwords change from time to time, some new information appears, other is removed. And you can not tell for sure which version of the configuration file was used with each commit.rnWhen building the automated deployment system there will be one extra step: download and place these secret-configuration files where they need to be. So you have to maintain an extra secure server, where everything is stored.rnrn## How does git-secret solve these problems?rnrn`git-secret` encrypts files and stores them inside the git repository, so you will have all the changes for every commit.rn`git-secret` doesn’t require any other deploy operations rather than `git secret reveal`, so it will automatically decrypt all the required files.rnrn## What is git-secret?rnrn`git-secret` is a bash tool to store your private data inside a git repo. How’s that? Basically, it just encrypts, using `gpg`, the tracked files with the public keys of all the users that you trust. So everyone of them can decrypt these files using only their personal secret key. Why deal with all this private-public keys stuff? Well, to make it easier for everyone to manage access rights. There are no passwords that change. When someone is out – just delete his public key, reencrypt the files, and he won’t be able to decrypt secrets anymore.rnrn## UsagernThese steps cover the basic process of using `git-secret`:rnrn0. Before starting, make sure you have created `gpg` RSA key-pair: public and secret key identified by your email address.rn1. Initialize `git-secret` repository by running `git secret init` command. `.gitsecret/` folder will be created.rn2. Add first user to the system by running `git secret tell your@gpg.email-id`.rn3. Now it’s time to add files you wish to encrypt inside the `git-secret` repository. It can be done by running `git secret add ` command. Make sure these files are ignored, otherwise `git secret` won’t allow you to add them, as these files will be stored unencrypted.rn4. When done, run `git secret hide` all files, which you have added by `git secret add` command will be encrypted with added public-keys by the `git secret tell` command. Now it is safe to commit your changes. **But**. It’s recommended to add `git secret hide` command to your `pre-commit` hook, so you won’t miss any changes.rn5. Now decrypt files with `git secret reveal` command. It will ask you for your password. And you’re done!rnrnCheck out [docs](https://sobolevn.github.io/git-secret/#usage) for more information.”,”html”:”u003cpu003eThere’s a known problem in server configuration and deploying, when you have to store your private data such as: database passwords, application secret-keys, OAuth secret keys and so on, outside of the git repository. Even if this repository is private, it is a security risk to just publish them into the world wide web. What are the drawbacks of storing them separately?u003c/pu003ennu003cpu003eThese files are not version controlled. Filenames change, locations change, passwords change from time to time, some new information appears, other is removed. And you can not tell for sure which version of the configuration file was used with each commit.u003cbru003enWhen building the automated deployment system there will be one extra step: download and place these secret-configuration files where they need to be. So you have to maintain an extra secure server, where everything is stored.u003c/pu003ennu003ch2u003eHow does git-secret solve these problems?u003c/h2u003ennu003cpu003eu003ccode class=”prettyprint”u003egit-secretu003c/codeu003e encrypts files and stores them inside the git repository, so you will have all the changes for every commit.u003cbru003enu003ccode class=”prettyprint”u003egit-secretu003c/codeu003e doesn’t require any other deploy operations rather than u003ccode class=”prettyprint”u003egit secret revealu003c/codeu003e, so it will automatically decrypt all the required files.u003c/pu003ennu003ch2u003eWhat is git-secret?u003c/h2u003ennu003cpu003eu003ccode class=”prettyprint”u003egit-secretu003c/codeu003e is a bash tool to store your private data inside a git repo. How’s that? Basically, it just encrypts, using u003ccode class=”prettyprint”u003egpgu003c/codeu003e, the tracked files with the public keys of all the users that you trust. So everyone of them can decrypt these files using only their personal secret key. Why deal with all this private-public keys stuff? Well, to make it easier for everyone to manage access rights. There are no passwords that change. When someone is out – just delete his public key, reencrypt the files, and he won’t be able to decrypt secrets anymore.u003c/pu003ennu003ch2u003eUsageu003c/h2u003ennu003cpu003eThese steps cover the basic process of using u003ccode class=”prettyprint”u003egit-secretu003c/codeu003e:u003c/pu003ennu003colu003enu003cliu003eBefore starting, make sure you have created u003ccode class=”prettyprint”u003egpgu003c/codeu003e RSA key-pair: public and secret key identified by your email address.u003c/liu003enu003cliu003eInitialize u003ccode class=”prettyprint”u003egit-secretu003c/codeu003e repository by running u003ccode class=”prettyprint”u003egit secret initu003c/codeu003e command. u003ccode class=”prettyprint”u003e.gitsecret/u003c/codeu003e folder will be created.u003c/liu003enu003cliu003eAdd first user to the system by running u003ccode class=”prettyprint”u003egit secret tell your@gpg.email-idu003c/codeu003e.u003c/liu003enu003cliu003eNow itu0026#39;s time to add files you wish to encrypt inside the u003ccode class=”prettyprint”u003egit-secretu003c/codeu003e repository. It can be done by running u003ccode class=”prettyprint”u003egit secret add u0026lt;filenames…u0026gt;u003c/codeu003e command. Make sure these files are ignored, otherwise u003ccode class=”prettyprint”u003egit secretu003c/codeu003e wonu0026#39;t allow you to add them, as these files will be stored unencrypted.u003c/liu003enu003cliu003eWhen done, run u003ccode class=”prettyprint”u003egit secret hideu003c/codeu003e all files, which you have added by u003ccode class=”prettyprint”u003egit secret addu003c/codeu003e command will be encrypted with added public-keys by the u003ccode class=”prettyprint”u003egit secret tellu003c/codeu003e command. Now it is safe to commit your changes. u003cstrongu003eButu003c/strongu003e. Itu0026#39;s recommended to add u003ccode class=”prettyprint”u003egit secret hideu003c/codeu003e command to your u003ccode class=”prettyprint”u003epre-commitu003c/codeu003e hook, so you wonu0026#39;t miss any changes.u003c/liu003enu003cliu003eNow decrypt files with u003ccode class=”prettyprint”u003egit secret revealu003c/codeu003e command. It will ask you for your password. And youu0026#39;re done!u003c/liu003enu003c/olu003ennu003cpu003eCheck out u003ca href=”https://sobolevn.github.io/git-secret/#usage” rel=”nofollow”u003edocsu003c/au003e for more information.u003c/pu003en”,”tags”:[“bash”,”zsh”,”git”],”hearts”:3,”upvotes”:3,”created_at”:”2016-05-08T19:45:47.627Z”,”user”:{“id”:142145,”name”:null,”avatar”:{“url”:”https://coderwall-assets-0.s3.amazonaws.com/uploads/user/avatar/142145/4660275.jpeg”},”title”:”Software Developer”,”location”:”Russia, Moscow”,”country”:null,”city”:null,”state_name”:null,”company”:””,”about”:””,”team_id”:null,”api_key”:null,”admin”:null,”receive_newsletter”:false,”receive_weekly_digest”:false,”last_ip”:5,”last_email_sent”:null,”last_request_at”:”2016-05-09T23:01:06.765Z”,”created_at”:”2016-03-31T12:20:35.705Z”,”updated_at”:”2016-05-09T20:42:50.656Z”,”username”:”sobolevn”,”email”:”mail@sobolevn.me”,”encrypted_password”:”$2a$10$Nt9IaFf3qxgjXsn0D2EcM.m0CXUO6P/khJCAd7QYrtxCPYsH2DWEi”,”confirmation_token”:null,”remember_token”:”05aad37b6b5ecabcb15c0f4137e2286f21f630f2″,”skills”:[“python”,”elixir”,”javascript”],”github_id”:null,”twitter_id”:null,”github”:”sobolevn”,”twitter”:””,”color”:”#f0720f”,”karma”:1,”banned_at”:null,”marketing_list”:null,”email_invalid_at”:null}}}


 

Original article