2018-06-10 14:05:49 +00:00
|
|
|
## Usage: Setting up git-secret in a repository
|
2017-06-01 11:01:41 +00:00
|
|
|
|
2016-02-23 21:11:37 +00:00
|
|
|
These steps cover the basic process of using `git-secret`:
|
2016-02-24 11:24:07 +00:00
|
|
|
|
2016-02-23 21:11:37 +00:00
|
|
|
0. Before starting, make sure you have created `gpg` RSA key-pair: public and secret key identified by your email address.
|
2018-06-10 14:05:49 +00:00
|
|
|
|
2018-04-17 03:43:57 +00:00
|
|
|
1. Begin with an existing or new git repository. You'll use the 'git secret' commands to add the keyrings and information
|
|
|
|
to make the git-secret hide and reveal files in this repository.
|
2018-06-10 14:05:49 +00:00
|
|
|
|
2018-04-17 03:43:57 +00:00
|
|
|
2. Initialize the `git-secret` repository by running `git secret init` command. the `.gitsecret/` folder will be created,
|
2018-04-17 15:20:01 +00:00
|
|
|
**Note** all the contents of the `.gitsecret/` folder should be checked in, /except/ the `random_seed` file.
|
|
|
|
In other words, of the files in .gitsecret, only the random_seed file should be mentioned in your .gitignore file.
|
2018-06-10 14:05:49 +00:00
|
|
|
|
2018-04-17 15:20:01 +00:00
|
|
|
3. Add the first user to the git-secret repo keyring by running `git secret tell your@gpg.email`.
|
2018-06-10 14:05:49 +00:00
|
|
|
|
2018-04-17 03:43:57 +00:00
|
|
|
4. Now it's time to add files you wish to encrypt inside the `git-secret` repository.
|
|
|
|
It can be done by running `git secret add <filenames...>` command. Make sure these files are ignored by mentions in
|
|
|
|
.gitignore, otherwise `git-secret` won't allow you to add them, as these files could be stored unencrypted.
|
2018-06-10 14:05:49 +00:00
|
|
|
|
2018-04-17 03:43:57 +00:00
|
|
|
5. When done, run `git secret hide` to encrypt all files which you have added by the `git secret add` command.
|
|
|
|
The data will be encrypted with the public-keys described by the `git secret tell` command.
|
|
|
|
After using `git secret hide` to encrypt your data, it is safe to commit your changes.
|
|
|
|
**NOTE:**. It's recommended to add `git secret hide` command to your `pre-commit` hook, so you won't miss any changes.
|
2018-06-10 14:05:49 +00:00
|
|
|
|
2018-04-17 03:43:57 +00:00
|
|
|
6. Later you can decrypt files with the `git secret reveal` command, or just show their contents to stdout with the
|
|
|
|
`git secret cat` command. If you used a password on your GPG key (always recommended), it will ask you for your password.
|
|
|
|
And you're done!
|
2016-02-23 21:11:37 +00:00
|
|
|
|
2018-06-10 14:05:49 +00:00
|
|
|
### Usage: Adding someone to a repository using git-secret
|
2017-06-01 11:01:41 +00:00
|
|
|
|
2018-02-07 09:42:08 +00:00
|
|
|
1. Get their `gpg` public-key. **You won't need their secret key.**
|
2018-06-10 14:05:49 +00:00
|
|
|
|
2018-04-16 21:42:36 +00:00
|
|
|
2. Import this key into your `gpg` setup (in ~/.gnupg or similar) by running `gpg --import KEY_NAME.txt`
|
2018-06-10 14:05:49 +00:00
|
|
|
|
2018-04-17 03:43:57 +00:00
|
|
|
3. Now add this person to your secrets repo by running `git secret tell persons@email.id`
|
2018-06-21 12:21:52 +00:00
|
|
|
(this will be the email address associated with the public key)
|
2018-06-10 14:05:49 +00:00
|
|
|
|
2018-04-17 03:43:57 +00:00
|
|
|
4. The newly added user cannot yet read the encrypted files. Now, re-encrypt the files using
|
|
|
|
`git secret reveal; git secret hide -d`, and then commit and push the newly encrypted files.
|
|
|
|
(The -d options deletes the unencrypted file after re-encrypting it).
|
|
|
|
Now the newly added user be able to decrypt the files in the repo using `git-secret`.
|
2016-02-23 21:11:37 +00:00
|
|
|
|
2018-04-17 03:43:57 +00:00
|
|
|
Note that it is possible to add yourself to the git-secret repo without decrypting existing files.
|
2018-06-21 12:21:52 +00:00
|
|
|
It will be possible to decrypt them after re-encrypting them with the new keyring. So, if you don't
|
2018-04-17 15:20:01 +00:00
|
|
|
want unexpected keys added, you can configure some server-side security policy with the `pre-receive` hook.
|
2016-02-23 21:11:37 +00:00
|
|
|
|
2016-05-14 11:03:33 +00:00
|
|
|
## Configuration
|
2017-06-01 11:01:41 +00:00
|
|
|
|
2018-04-17 15:20:01 +00:00
|
|
|
You can configure the version of gpg used, or the extension your encrypted files use, to suit your workflow better.
|
2018-04-17 03:43:57 +00:00
|
|
|
To do so, just set the required variable to the value you need.
|
|
|
|
This can be done in your shell environment file or with each `git-secret` command.
|
2016-05-14 11:03:33 +00:00
|
|
|
|
2018-04-17 03:43:57 +00:00
|
|
|
The settings available to be changed are:
|
|
|
|
|
|
|
|
* `$SECRETS_GPG_COMMAND` - sets the `gpg` alternatives, defaults to `gpg`.
|
|
|
|
It can be changed to `gpg`, `gpg2`, `pgp`, `/usr/local/gpg` or any other value.
|
|
|
|
After doing so rerun the tests to be sure that it won't break anything. Tested to be working with: `gpg`, `gpg2`.
|
2016-05-14 11:03:33 +00:00
|
|
|
|
|
|
|
* `$SECRETS_EXTENSION` - sets the secret files extension, defaults to `.secret`. It can be changed to any valid file extension.
|
2017-06-01 11:01:41 +00:00
|
|
|
|
2018-06-10 14:05:49 +00:00
|
|
|
## The `.gitsecret` folder
|
2017-06-01 11:01:41 +00:00
|
|
|
|
2018-06-10 14:05:49 +00:00
|
|
|
This folder contains information about the files encrypted by git-secret,
|
2018-04-17 03:43:57 +00:00
|
|
|
and about which public/private key sets can access the encrypted data.
|
2018-06-10 14:05:49 +00:00
|
|
|
|
2018-04-17 03:43:57 +00:00
|
|
|
Use the various 'git secret' commands to manipulate the files in `.gitsecret`,
|
|
|
|
you should not change the data in these files directly.
|
2017-06-01 11:01:41 +00:00
|
|
|
|
2018-06-10 14:05:49 +00:00
|
|
|
Exactly which files exist in the .gitsecret folder and what their contents are
|
|
|
|
vary slightly across different versions of gpg. Thus it is best to use
|
2018-06-12 16:08:00 +00:00
|
|
|
git-secret with the same version of gpg being used by all users.
|
|
|
|
This can be forced using SECRETS_GPG_COMMAND environment variable.
|
2018-06-10 14:05:49 +00:00
|
|
|
|
2018-06-11 12:07:03 +00:00
|
|
|
Specifically, there is an issue between gpg version 2.1.20 and later versions
|
|
|
|
which can cause problems reading and writing keyring files between systems
|
|
|
|
(this shows up in errors like 'gpg: skipped packet of type 12 in keybox').
|
2018-06-10 14:05:49 +00:00
|
|
|
|
2018-04-16 21:42:36 +00:00
|
|
|
The git-secret internal data is separated into two directories:
|
2017-06-01 11:01:41 +00:00
|
|
|
|
2018-04-16 20:07:56 +00:00
|
|
|
### `.gitsecret/paths`
|
2017-06-01 11:01:41 +00:00
|
|
|
|
2018-04-17 03:43:57 +00:00
|
|
|
This directory currently contains only the file `mapping.cfg`, which lists all the files your storing encrypted.
|
2018-04-16 20:07:56 +00:00
|
|
|
In other words, the path mappings: what files are tracked to be hidden and revealed.
|
|
|
|
|
|
|
|
All the other internal data is stored in the directory:
|
|
|
|
|
|
|
|
### `.gitsecret/keys`
|
|
|
|
|
2018-06-21 12:21:52 +00:00
|
|
|
This directory contains data used by git-secret and PGP to allow and maintain the correct encryption and access rights for the permitted parties.
|
2018-04-16 20:07:56 +00:00
|
|
|
|
2018-04-17 03:43:57 +00:00
|
|
|
Generally speaking, all the files in this directory *except* `random_seed` should be checked into your repo.
|
2018-04-16 20:07:56 +00:00
|
|
|
By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your .gitignore file.
|