2019-02-11 14:37:09 +00:00
---
layout: post
2021-06-26 13:58:56 +00:00
title: 'git-secret-hide'
2024-09-17 14:41:09 +00:00
date: 2024-09-17 14:41:08 +0000
2019-02-11 14:37:09 +00:00
permalink: git-secret-hide
categories: command
---
2022-04-17 19:17:28 +00:00
git-secret-hide - encrypts all added files with repo keyring.
2019-02-11 14:37:09 +00:00
==================================================================
## SYNOPSIS
git secret hide [-c] [-F] [-P] [-v] [-d] [-m]
## DESCRIPTION
2022-04-17 19:17:28 +00:00
`git-secret-hide` - writes an encrypted version of each file added by `git-secret-add` command.
2019-02-11 14:37:09 +00:00
2022-04-14 23:08:22 +00:00
Then anyone enabled via `git secret tell` can decrypt these files.
2022-04-17 19:17:28 +00:00
Under the hood, `git-secret` uses the keyring of public keys in `.gitsecret/keys` to _encrypt_ files,
encrypted versions are typically called `filename.txt.secret` .
Later permitted users can use their secret key (typically from their home directory) to _decrypt_ files.
2019-02-11 14:37:09 +00:00
2022-04-14 23:08:22 +00:00
It is recommended to encrypt (or re-encrypt) all the files in a `git-secret` repo each
time `git secret hide` is run.
Otherwise the keyring (the one stored in `.gitsecret/keys/*.gpg` ),
2021-06-26 13:24:49 +00:00
may have changed since the last time the files were encrypted, and it's possible
to create a state where the users in the output of `git secret whoknows`
may not be able to decrypt the some files in the repo, or may be able decrypt files
2019-02-11 14:37:09 +00:00
they're not supposed to be able to.
2021-06-26 13:24:49 +00:00
In other words, unless you re-encrypt all the files in a repo each time you `hide` any,
it's possible to make it so some files can no longer be decrypted by users who should be
2019-02-11 14:37:09 +00:00
(and would appear) able to decrypt them, and vice-versa.
2021-06-26 13:24:49 +00:00
If you know what you are doing and wish
to encrypt or re-encrypt only a subset of the files
even after reading the above paragraphs, you can use the `-F` or `-m` options.
The `-F` option forces `git secret hide` to skip any hidden files
where the unencrypted versions aren't present.
The `-m` option skips any hidden files that have
not be been modified since the last time they were encrypted.
2019-09-18 18:15:00 +00:00
2019-02-11 14:37:09 +00:00
## OPTIONS
-v - verbose, shows extra information.
-c - deletes encrypted files before creating new ones.
-F - forces hide to continue if a file to encrypt is missing.
-P - preserve permissions of unencrypted file in encrypted file.
-d - deletes unencrypted files after encryption.
-m - encrypt files only when modified.
-h - shows help.
2021-06-26 13:24:49 +00:00
## ENV VARIABLES
- `SECRETS_GPG_COMMAND` changes the default `gpg` command to anything else
- `SECRETS_GPG_ARMOR` is a boolean to enable [`--armor` mode ](https://www.gnupg.org/gph/en/manual/r1290.html ) to store secrets in text format over binary
2021-06-26 14:18:03 +00:00
- `SECRETS_DIR` changes the default `.gitsecret/` folder to another name as documented at [git-secret(7) ](https://git-secret.io/ )
2021-06-26 13:24:49 +00:00
- `SECRETS_EXTENSION` changes the default `.secret` file extension
2021-06-26 14:18:03 +00:00
- `SECRETS_VERBOSE` changes the output verbosity as documented at [git-secret(7) ](https://git-secret.io/ )
- `SECRETS_PINENTRY` changes the [`gpg --pinentry` mode ](https://github.com/gpg/pinentry ) as documented at [git-secret(7) ](https://git-secret.io/ )
2021-06-26 13:24:49 +00:00
2019-02-11 14:37:09 +00:00
## MANUAL
2022-04-14 23:08:22 +00:00
Run `man git-secret-hide` to see this document.
2019-02-11 14:37:09 +00:00
## SEE ALSO
2021-06-26 14:18:03 +00:00
[git-secret-init(1) ](https://git-secret.io/git-secret-init ), [git-secret-tell(1) ](https://git-secret.io/git-secret-tell ),
[git-secret-add(1) ](https://git-secret.io/git-secret-add ), [git-secret-reveal(1) ](https://git-secret.io/git-secret-reveal ),
[git-secret-cat(1) ](https://git-secret.io/git-secret-cat )
