git-secret/man/man7/git-secret.7.ronn

## Usage: Setting up git-secret in a repository

These steps cover the basic process of using `git-secret`:

0. Before starting, make sure you have created `gpg` RSA key-pair: public and secret key identified by your email address.

1. Begin with an existing or new git repository. You'll use the 'git secret' commands to add the keyrings and information 
to make the git-secret hide and reveal files in this repository.

2. Initialize the `git-secret` repository by running `git secret init` command. the `.gitsecret/` folder will be created, 
**Note** all the contents of the `.gitsecret/` folder should be checked in, /except/ the `random_seed` file. 
In other words, of the files in .gitsecret, only the random_seed file should be mentioned in your .gitignore file.

3. Add the first user to the git-secret repo keyring by running `git secret tell your@gpg.email`.

4. Now it's time to add files you wish to encrypt inside the `git-secret` repository. 
It can be done by running `git secret add <filenames...>` command. Make sure these files are ignored by mentions in 
.gitignore, otherwise `git-secret` won't allow you to add them, as these files could be stored unencrypted.

5. When done, run `git secret hide` to encrypt all files which you have added by the `git secret add` command.  
The data will be encrypted with the public-keys described by the `git secret tell` command. 
After using `git secret hide` to encrypt your data, it is safe to commit your changes. 
**NOTE:**. It's recommended to add `git secret hide` command to your `pre-commit` hook, so you won't miss any changes.

6. Later you can decrypt files with the `git secret reveal` command, or just show their contents to stdout with the 
`git secret cat` command. If you used a password on your GPG key (always recommended), it will ask you for your password. 
And you're done!

### Usage: Adding someone to a repository using git-secret

1. Get their `gpg` public-key. **You won't need their secret key.**

2. Import this key into your `gpg` setup (in ~/.gnupg or similar) by running `gpg --import KEY_NAME.txt`

3. Now add this person to your secrets repo by running `git secret tell persons@email.id` 
(this will be the email address assocated with the public key)

4. The newly added user cannot yet read the encrypted files. Now, re-encrypt the files using 
`git secret reveal; git secret hide -d`, and then commit and push the newly encrypted files. 
(The -d options deletes the unencrypted file after re-encrypting it). 
Now the newly added user be able to decrypt the files in the repo using `git-secret`.

Note that it is possible to add yourself to the git-secret repo without decrypting existing files. 
It will be possible to decrypt them after reencrypting them with the new keyring. So, if you don't 
want unexpected keys added, you can configure some server-side security policy with the `pre-receive` hook.

## Configuration

You can configure the version of gpg used, or the extension your encrypted files use, to suit your workflow better. 
To do so, just set the required variable to the value you need. 
This can be done in your shell environment file or with each `git-secret` command.

The settings available to be changed are:

* `$SECRETS_GPG_COMMAND` - sets the `gpg` alternatives, defaults to `gpg`. 
It can be changed to `gpg`, `gpg2`, `pgp`, `/usr/local/gpg` or any other value. 
After doing so rerun the tests to be sure that it won't break anything. Tested to be working with: `gpg`, `gpg2`.

* `$SECRETS_EXTENSION` - sets the secret files extension, defaults to `.secret`. It can be changed to any valid file extension.

## The `.gitsecret` folder

This folder contains information about the files encrypted by git-secret, 
and about which public/private key sets can access the encrypted data. 

Use the various 'git secret' commands to manipulate the files in `.gitsecret`, 
you should not change the data in these files directly.

Exactly which files exist in the .gitsecret folder and what their contents are
vary slightly across different versions of gpg. Thus it is best to use
git-secret with versions of gpg that interoperate well.

Specifically, there is an issue between gpg version 2.1.20 and later versions
which can cause problems reading and writing keyring files between systems 
(this shows up in errors like 'gpg: skipped packet of type 12 in keybox').

The git-secret internal data is separated into two directories:

### `.gitsecret/paths`

This directory currently contains only the file `mapping.cfg`, which lists all the files your storing encrypted.
In other words, the path mappings: what files are tracked to be hidden and revealed.

All the other internal data is stored in the directory:

### `.gitsecret/keys`

This directory contains data used by git-secret and PGP to allow and maintain the correct encyption and access rights for the permitted parties. 

Generally speaking, all the files in this directory *except* `random_seed` should be checked into your repo.  
By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your .gitignore file.
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00			`## Usage: Setting up git-secret in a repository`
Adds documentation update Documentation: 1. Adds security note, closes #78 2. Adds a tweak about `random_seed` and `.gitsecret/`, closes #93 3. Adds `git --version` into issue tamplate, closes #95 4. Improves `README.md`, refs #79 2017-06-01 11:01:41 +00:00
usage started 2016-02-23 21:11:37 +00:00			These steps cover the basic process of using `git-secret`:
new README 2016-02-24 11:24:07 +00:00
usage started 2016-02-23 21:11:37 +00:00			0. Before starting, make sure you have created `gpg` RSA key-pair: public and secret key identified by your email address.
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00
improve text and break long lines 2018-04-17 03:43:57 +00:00			`1. Begin with an existing or new git repository. You'll use the 'git secret' commands to add the keyrings and information`
			`to make the git-secret hide and reveal files in this repository.`
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00
improve text and break long lines 2018-04-17 03:43:57 +00:00			2. Initialize the `git-secret` repository by running `git secret init` command. the `.gitsecret/` folder will be created,
improve CHANGELOG.md and git-secret man page 2018-04-17 15:20:01 +00:00			Note all the contents of the `.gitsecret/` folder should be checked in, /except/ the `random_seed` file.
			`In other words, of the files in .gitsecret, only the random_seed file should be mentioned in your .gitignore file.`
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00
improve CHANGELOG.md and git-secret man page 2018-04-17 15:20:01 +00:00			3. Add the first user to the git-secret repo keyring by running `git secret tell your@gpg.email`.
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00
improve text and break long lines 2018-04-17 03:43:57 +00:00			4. Now it's time to add files you wish to encrypt inside the `git-secret` repository.
			It can be done by running `git secret add <filenames...>` command. Make sure these files are ignored by mentions in
			.gitignore, otherwise `git-secret` won't allow you to add them, as these files could be stored unencrypted.
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00
improve text and break long lines 2018-04-17 03:43:57 +00:00			5. When done, run `git secret hide` to encrypt all files which you have added by the `git secret add` command.
			The data will be encrypted with the public-keys described by the `git secret tell` command.
			After using `git secret hide` to encrypt your data, it is safe to commit your changes.
			NOTE:. It's recommended to add `git secret hide` command to your `pre-commit` hook, so you won't miss any changes.
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00
improve text and break long lines 2018-04-17 03:43:57 +00:00			6. Later you can decrypt files with the `git secret reveal` command, or just show their contents to stdout with the
			`git secret cat` command. If you used a password on your GPG key (always recommended), it will ask you for your password.
			`And you're done!`
usage started 2016-02-23 21:11:37 +00:00
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00			`### Usage: Adding someone to a repository using git-secret`
Adds documentation update Documentation: 1. Adds security note, closes #78 2. Adds a tweak about `random_seed` and `.gitsecret/`, closes #93 3. Adds `git --version` into issue tamplate, closes #95 4. Improves `README.md`, refs #79 2017-06-01 11:01:41 +00:00
Replace 'his' with 'their' 2018-02-07 09:42:08 +00:00			1. Get their `gpg` public-key. You won't need their secret key.
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00
improve git-secret docs 2018-04-16 21:42:36 +00:00			2. Import this key into your `gpg` setup (in ~/.gnupg or similar) by running `gpg --import KEY_NAME.txt`
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00
improve text and break long lines 2018-04-17 03:43:57 +00:00			3. Now add this person to your secrets repo by running `git secret tell persons@email.id`
			`(this will be the email address assocated with the public key)`
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00
improve text and break long lines 2018-04-17 03:43:57 +00:00			`4. The newly added user cannot yet read the encrypted files. Now, re-encrypt the files using`
			`git secret reveal; git secret hide -d`, and then commit and push the newly encrypted files.
			`(The -d options deletes the unencrypted file after re-encrypting it).`
			Now the newly added user be able to decrypt the files in the repo using `git-secret`.
usage started 2016-02-23 21:11:37 +00:00
improve text and break long lines 2018-04-17 03:43:57 +00:00			`Note that it is possible to add yourself to the git-secret repo without decrypting existing files.`
			`It will be possible to decrypt them after reencrypting them with the new keyring. So, if you don't`
improve CHANGELOG.md and git-secret man page 2018-04-17 15:20:01 +00:00			want unexpected keys added, you can configure some server-side security policy with the `pre-receive` hook.
usage started 2016-02-23 21:11:37 +00:00
Added `-i` flag to the `git-secret-add` command, which now auto-ignores unignored files. Also added a test case for this feature. Other changes: 1. refactored `Makefile` to have `.PHONY` marks 2. added install target to the `Makefile`, now one can run `make install` (with optional `$PREFIX` variable) 3. updated docs for `git-secret.7`, `git-secret-add.1` 4. refactored some commands to `shift` arguments 5. added a test case to the 'other-file-extension' situation 5. added `.github` folder to store templates Closed #18 2016-05-14 11:03:33 +00:00			`## Configuration`
Adds documentation update Documentation: 1. Adds security note, closes #78 2. Adds a tweak about `random_seed` and `.gitsecret/`, closes #93 3. Adds `git --version` into issue tamplate, closes #95 4. Improves `README.md`, refs #79 2017-06-01 11:01:41 +00:00
improve CHANGELOG.md and git-secret man page 2018-04-17 15:20:01 +00:00			`You can configure the version of gpg used, or the extension your encrypted files use, to suit your workflow better.`
improve text and break long lines 2018-04-17 03:43:57 +00:00			`To do so, just set the required variable to the value you need.`
			This can be done in your shell environment file or with each `git-secret` command.
Added `-i` flag to the `git-secret-add` command, which now auto-ignores unignored files. Also added a test case for this feature. Other changes: 1. refactored `Makefile` to have `.PHONY` marks 2. added install target to the `Makefile`, now one can run `make install` (with optional `$PREFIX` variable) 3. updated docs for `git-secret.7`, `git-secret-add.1` 4. refactored some commands to `shift` arguments 5. added a test case to the 'other-file-extension' situation 5. added `.github` folder to store templates Closed #18 2016-05-14 11:03:33 +00:00
improve text and break long lines 2018-04-17 03:43:57 +00:00			`The settings available to be changed are:`

			* `$SECRETS_GPG_COMMAND` - sets the `gpg` alternatives, defaults to `gpg`.
			It can be changed to `gpg`, `gpg2`, `pgp`, `/usr/local/gpg` or any other value.
			After doing so rerun the tests to be sure that it won't break anything. Tested to be working with: `gpg`, `gpg2`.
Added `-i` flag to the `git-secret-add` command, which now auto-ignores unignored files. Also added a test case for this feature. Other changes: 1. refactored `Makefile` to have `.PHONY` marks 2. added install target to the `Makefile`, now one can run `make install` (with optional `$PREFIX` variable) 3. updated docs for `git-secret.7`, `git-secret-add.1` 4. refactored some commands to `shift` arguments 5. added a test case to the 'other-file-extension' situation 5. added `.github` folder to store templates Closed #18 2016-05-14 11:03:33 +00:00
			* `$SECRETS_EXTENSION` - sets the secret files extension, defaults to `.secret`. It can be changed to any valid file extension.
Adds documentation update Documentation: 1. Adds security note, closes #78 2. Adds a tweak about `random_seed` and `.gitsecret/`, closes #93 3. Adds `git --version` into issue tamplate, closes #95 4. Improves `README.md`, refs #79 2017-06-01 11:01:41 +00:00
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00			## The `.gitsecret` folder
Adds documentation update Documentation: 1. Adds security note, closes #78 2. Adds a tweak about `random_seed` and `.gitsecret/`, closes #93 3. Adds `git --version` into issue tamplate, closes #95 4. Improves `README.md`, refs #79 2017-06-01 11:01:41 +00:00
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00			`This folder contains information about the files encrypted by git-secret,`
improve text and break long lines 2018-04-17 03:43:57 +00:00			`and about which public/private key sets can access the encrypted data.`
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00
improve text and break long lines 2018-04-17 03:43:57 +00:00			Use the various 'git secret' commands to manipulate the files in `.gitsecret`,
			`you should not change the data in these files directly.`
Adds documentation update Documentation: 1. Adds security note, closes #78 2. Adds a tweak about `random_seed` and `.gitsecret/`, closes #93 3. Adds `git --version` into issue tamplate, closes #95 4. Improves `README.md`, refs #79 2017-06-01 11:01:41 +00:00
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00			`Exactly which files exist in the .gitsecret folder and what their contents are`
			`vary slightly across different versions of gpg. Thus it is best to use`
fix typos, regenerate man pages 2018-06-11 12:07:03 +00:00			`git-secret with versions of gpg that interoperate well.`
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00
fix typos, regenerate man pages 2018-06-11 12:07:03 +00:00			`Specifically, there is an issue between gpg version 2.1.20 and later versions`
			`which can cause problems reading and writing keyring files between systems`
			`(this shows up in errors like 'gpg: skipped packet of type 12 in keybox').`
more about gnupg, and .gitsecret contents. whitespace changes. 2018-06-10 14:05:49 +00:00
improve git-secret docs 2018-04-16 21:42:36 +00:00			`The git-secret internal data is separated into two directories:`
Adds documentation update Documentation: 1. Adds security note, closes #78 2. Adds a tweak about `random_seed` and `.gitsecret/`, closes #93 3. Adds `git --version` into issue tamplate, closes #95 4. Improves `README.md`, refs #79 2017-06-01 11:01:41 +00:00
improve docs re: ignores & .gitsecret 2018-04-16 20:07:56 +00:00			### `.gitsecret/paths`
Adds documentation update Documentation: 1. Adds security note, closes #78 2. Adds a tweak about `random_seed` and `.gitsecret/`, closes #93 3. Adds `git --version` into issue tamplate, closes #95 4. Improves `README.md`, refs #79 2017-06-01 11:01:41 +00:00
improve text and break long lines 2018-04-17 03:43:57 +00:00			This directory currently contains only the file `mapping.cfg`, which lists all the files your storing encrypted.
improve docs re: ignores & .gitsecret 2018-04-16 20:07:56 +00:00			`In other words, the path mappings: what files are tracked to be hidden and revealed.`

			`All the other internal data is stored in the directory:`

			### `.gitsecret/keys`

improve text and break long lines 2018-04-17 03:43:57 +00:00			`This directory contains data used by git-secret and PGP to allow and maintain the correct encyption and access rights for the permitted parties.`
improve docs re: ignores & .gitsecret 2018-04-16 20:07:56 +00:00
improve text and break long lines 2018-04-17 03:43:57 +00:00			Generally speaking, all the files in this directory except `random_seed` should be checked into your repo.
improve docs re: ignores & .gitsecret 2018-04-16 20:07:56 +00:00			By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your .gitignore file.