\fBgit\-secret\-add\fR adds a filepath(s) into \fB\.gitsecret/paths/mapping\.cfg\fR and ensures the filepath is mentioned \.gitignore\.
\fBgit\-secret\-add\fR adds a filepath(s) into \fB\.gitsecret/paths/mapping\.cfg\fR and ensures the filepath is mentioned \fB\.gitignore\fR\.
.
.P
When adding files to encrypt, \fBgit\-secret\-add\fR (as of 0\.2\.6) will ensure that they are ignored by \fBgit\fR by mentioning them in \.gitignore, since they must be secure and not be committed into the remote repository unencrypted\.
When adding files to encrypt, \fBgit\-secret\-add\fR (as of 0\.2\.6) will ensure that they are ignored by \fBgit\fR by mentioning them in \fB\.gitignore\fR, since they must be secure and not be committed into the remote repository unencrypted\.
.
.P
If there\'s no users in the \fBgit\-secret\fR\'s keyring, when adding a file, an exception will be raised\.
\fBgit\-secret\-clean\fR\- removes all the hidden files\.
@ -15,7 +15,7 @@ git secret clean [\-v]
.fi
.
.SH"DESCRIPTION"
\fBgit\-secret\-clean\fR deletes all the encrypted files\. Verbose output is enabled with the \-v option, in which case the program prints which files are deleted\.
\fBgit\-secret\-clean\fR deletes all the encrypted files\. Verbose output is enabled with the \fB\-v\fR option, in which case the program prints which files are deleted\.
\fBgit\-secret\-hide\fR creates an encrypted version (typically called \fBfilename\.txt\.secret\fR) of each file added by \fBgit\-secret\-add\fR command\. Now anyone enabled via \'git secret tell\' can can decrypt these files\. Under the hood, \fBgit\-secret\fR uses the keyring in \fB\.gitsecret/keys\fR and user\'s secret keys to decrypt the files\.
.
.P
It is recommended to encrypt (or re\-encrypt) all the files in a git\-secret repo each time \fBgit secret hide\fR is run\.
It is recommended to encrypt (or re\-encrypt) all the files in a \fBgit\-secret\fR repo each time \fBgit secret hide\fR is run\.
.
.P
Otherwise the keychain (the one stored in \fB\.gitsecret/keys/*\.gpg\fR), may have changed since the last time the files were encrypted, and it\'s possible to create a state where the users in the output of \fBgit secret whoknows\fR may not be able to decrypt the some files in the repo, or may be able decrypt files they\'re not supposed to be able to\.
.
.P
In other words, unless you re\-encrypt all the files in a repo each time you \'hide\' any, it\'s possible to make it so some files can no longer be decrypted by users who should be (and would appear) able to decrypt them, and vice\-versa\.
In other words, unless you re\-encrypt all the files in a repo each time you \fBhide\fR any, it\'s possible to make it so some files can no longer be decrypted by users who should be (and would appear) able to decrypt them, and vice\-versa\.
.
.P
If you know what you are doing and wish to encrypt or re\-encrypt only a subset of the files even after reading the above paragraphs, you can use the \-F or \-m option to only encrypted a subset of files\. The \-F option forces \fBgit secret hide\fR to skip any hidden files where the unencrypted versions aren\'t present\. The \-m option skips any hidden files that have not be modified since the last time they were encrypted\.
.
.P
Also, it is possible to modify the names of the encrypted files by setting \fBSECRETS_EXTENSION\fR variable\.
.
.P
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\.
.
.P
You can also enable verbosity using the SECRETS_VERBOSE environment variable, as documented at git\-secret(7) \fIhttp://git\-secret\.io/\fR
If you know what you are doing and wish to encrypt or re\-encrypt only a subset of the files even after reading the above paragraphs, you can use the \fB\-F\fR or \fB\-m\fR options\. The \fB\-F\fR option forces \fBgit secret hide\fR to skip any hidden files where the unencrypted versions aren\'t present\. The \fB\-m\fR option skips any hidden files that have not be been modified since the last time they were encrypted\.
.
.SH"OPTIONS"
.
@ -52,11 +43,30 @@ You can also enable verbosity using the SECRETS_VERBOSE environment variable, as
.
.fi
.
.SH"ENV VARIABLES"
.
.IP"\(bu"4
\fBSECRETS_GPG_COMMAND\fR changes the default \fBgpg\fR command to anything else
.
.IP"\(bu"4
\fBSECRETS_GPG_ARMOR\fR is a boolean to enable \fB\-\-armor\fR mode \fIhttps://www\.gnupg\.org/gph/en/manual/r1290\.html\fR to store secrets in text format over binary
.
.IP"\(bu"4
\fBSECRETS_DIR\fR changes the default \fB\.gitsecret/\fR folder to another name as documented at git\-secret(7) \fIhttp://git\-secret\.io/\fR
.
.IP"\(bu"4
\fBSECRETS_EXTENSION\fR changes the default \fB\.secret\fR file extension
.
.IP"\(bu"4
\fBSECRETS_VERBOSE\fR changes the output verbosity as documented at git\-secret(7) \fIhttp://git\-secret\.io/\fR
.
.IP"\(bu"4
\fBSECRETS_PINENTRY\fR changes the \fBgpg \-\-pinentry\fR mode \fIhttps://github\.com/gpg/pinentry\fR as documented at git\-secret(7) \fIhttp://git\-secret\.io/\fR
.
.IP""0
.
.SH"MANUAL"
Run \fBman git\-secret\-hide\fR to see this note\.
@ -7,37 +7,31 @@ git-secret-hide - encrypts all added files with the inner keyring.
## DESCRIPTION
`git-secret-hide` creates an encrypted version (typically called `filename.txt.secret`)
of each file added by `git-secret-add` command.
`git-secret-hide` creates an encrypted version (typically called `filename.txt.secret`)
of each file added by `git-secret-add` command.
Now anyone enabled via 'git secret tell' can can decrypt these files. Under the hood,
`git-secret` uses the keyring in `.gitsecret/keys` and user's secret keys to decrypt the files.
It is recommended to encrypt (or re-encrypt) all the files in a git-secret repo each
It is recommended to encrypt (or re-encrypt) all the files in a `git-secret` repo each
time `git secret hide` is run.
Otherwise the keychain (the one stored in `.gitsecret/keys/*.gpg`),
may have changed since the last time the files were encrypted, and it's possible
to create a state where the users in the output of `git secret whoknows`
may not be able to decrypt the some files in the repo, or may be able decrypt files
may have changed since the last time the files were encrypted, and it's possible
to create a state where the users in the output of `git secret whoknows`
may not be able to decrypt the some files in the repo, or may be able decrypt files
they're not supposed to be able to.
In other words, unless you re-encrypt all the files in a repo each time you 'hide' any,
it's possible to make it so some files can no longer be decrypted by users who should be
In other words, unless you re-encrypt all the files in a repo each time you `hide` any,
it's possible to make it so some files can no longer be decrypted by users who should be
(and would appear) able to decrypt them, and vice-versa.
If you know what you are doing and wish to encrypt or re-encrypt only a subset of the files
even after reading the above paragraphs, you can use the -F or -m option to only encrypted
a subset of files. The -F option forces `git secret hide` to skip any hidden files
where the unencrypted versions aren't present. The -m option skips any hidden files that have
not be modified since the last time they were encrypted.
Also, it is possible to modify the names of the encrypted files by setting `SECRETS_EXTENSION` variable.
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
folder using the SECRETS_DIR environment variable.
You can also enable verbosity using the SECRETS_VERBOSE environment variable,
as documented at [git-secret(7)](http://git-secret.io/)
If you know what you are doing and wish
to encrypt or re-encrypt only a subset of the files
even after reading the above paragraphs, you can use the `-F` or `-m` options.
The `-F` option forces `git secret hide` to skip any hidden files
where the unencrypted versions aren't present.
The `-m` option skips any hidden files that have
not be been modified since the last time they were encrypted.
## OPTIONS
@ -50,6 +44,17 @@ as documented at [git-secret(7)](http://git-secret.io/)
-m - encrypt files only when modified.
-h - shows help.
## ENV VARIABLES
- `SECRETS_GPG_COMMAND` changes the default `gpg` command to anything else
- `SECRETS_GPG_ARMOR` is a boolean to enable [`--armor` mode](https://www.gnupg.org/gph/en/manual/r1290.html) to store secrets in text format over binary
- `SECRETS_DIR` changes the default `.gitsecret/` folder to another name as documented at [git-secret(7)](http://git-secret.io/)
- `SECRETS_EXTENSION` changes the default `.secret` file extension
- `SECRETS_VERBOSE` changes the output verbosity as documented at [git-secret(7)](http://git-secret.io/)
- `SECRETS_PINENTRY` changes the [`gpg --pinentry` mode](https://github.com/gpg/pinentry) as documented at [git-secret(7)](http://git-secret.io/)
## MANUAL
Run `man git-secret-hide` to see this note.
@ -57,6 +62,6 @@ Run `man git-secret-hide` to see this note.
\fBgit\-secret\-init\fR should be run inside a \fBgit\fR repo to set up the \.gitsecret directory and initialize the repo for git\-secret\. Until repository is initialized with \fBgit secret init\fR, all other \fBgit\-secret\fR commands are unavailable\.
.
.P
If a \.gitsecret directory already exists, \fBgit\-secret\-init\fR exits without making any changes\. Otherwise, a \.gitsecret directory is created with appropriate sub\-directories, and patterns to ignore git\-secret\'s \fBrandom_seed_file\fR and not ignore \fB\.secret\fR files are added to \fB\.gitignore\fR\.
If a \fB\.gitsecret\fR directory already exists, \fBgit\-secret\-init\fR exits without making any changes\. Otherwise, a \.gitsecret directory is created with appropriate sub\-directories, and patterns to ignore \fBgit\-secret\fR\'s \fBrandom_seed_file\fR and not ignore \fB\.secret\fR files are added to \fB\.gitignore\fR\.
.
.P
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder with the SECRETS_DIR environment variable, and changing the extension git\-secret uses for secret files with the SECRETS_EXTENSION environment variable\.
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder with the \fBSECRETS_DIR\fR environment variable, and changing the extension \fBgit\-secret\fR uses for secret files with the \fBSECRETS_EXTENSION\fR environment variable\.
\fBgit\-secret\-list\fR\- prints all the added files\.
@ -18,7 +18,7 @@ git secret list
\fBgit\-secret\-list\fR prints all the currently added tracked files from the \fB\.gitsecret/paths/mapping\.cfg\fR\.
.
.P
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\.
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the \fBSECRETS_DIR\fR environment variable\.
\fBgit\-secret\-remove\fR deletes files from \fB\.gitsecret/paths/mapping\.cfg\fR, so they won\'t be encrypted or decrypted in the future\. There\'s also a \-c option to delete existing encrypted versions of the files provided\.
.
.P
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\.
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the \fBSECRETS_DIR\fR environment variable\.
(See git\-secret(7) \fIhttp://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\.
.SH"ENV VARIABLES"
.
.IP"\(bu"4
\fBSECRETS_GPG_COMMAND\fR changes the default \fBgpg\fR command to anything else
.
.IP"\(bu"4
\fBSECRETS_GPG_ARMOR\fR is a boolean to enable \fB\-\-armor\fR mode \fIhttps://www\.gnupg\.org/gph/en/manual/r1290\.html\fR to store secrets in text format over binary
.
.IP"\(bu"4
\fBSECRETS_DIR\fR changes the default \fB\.gitsecret/\fR folder to another name as documented at git\-secret(7) \fIhttp://git\-secret\.io/\fR
.
.IP"\(bu"4
\fBSECRETS_EXTENSION\fR changes the default \fB\.secret\fR file extension
.
.IP"\(bu"4
\fBSECRETS_VERBOSE\fR changes the output verbosity as documented at git\-secret(7) \fIhttp://git\-secret\.io/\fR
.
.IP"\(bu"4
\fBSECRETS_PINENTRY\fR changes the \fBgpg \-\-pinentry\fR mode \fIhttps://github\.com/gpg/pinentry\fR as documented at git\-secret(7) \fIhttp://git\-secret\.io/\fR
.
.IP""0
.
.SH"MANUAL"
Run \fBman git\-secret\-reveal\fR to see this note\.
@ -9,9 +9,9 @@ git-secret-reveal - decrypts all added files.
## DESCRIPTION
`git-secret-reveal` - decrypts all the files in `.gitsecret/paths/mapping.cfg`,
or the passed `pathspec`s.
You will need to have imported the paired secret-key with one of the
You will need to have imported the paired secret-key with one of the
public-keys which were used in the encryption.
Under the hood, this uses the `gpg --decrypt` command.
Under the hood, this uses the `gpg --decrypt` command.
## OPTIONS
@ -24,8 +24,15 @@ Under the hood, this uses the `gpg --decrypt` command.
-P - preserve permissions of encrypted file in unencrypted file.
-h - shows help.
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
folder using the SECRETS_DIR environment variable.
## ENV VARIABLES
- `SECRETS_GPG_COMMAND` changes the default `gpg` command to anything else
- `SECRETS_GPG_ARMOR` is a boolean to enable [`--armor` mode](https://www.gnupg.org/gph/en/manual/r1290.html) to store secrets in text format over binary
- `SECRETS_DIR` changes the default `.gitsecret/` folder to another name as documented at [git-secret(7)](http://git-secret.io/)
- `SECRETS_EXTENSION` changes the default `.secret` file extension
- `SECRETS_VERBOSE` changes the output verbosity as documented at [git-secret(7)](http://git-secret.io/)
- `SECRETS_PINENTRY` changes the [`gpg --pinentry` mode](https://github.com/gpg/pinentry) as documented at [git-secret(7)](http://git-secret.io/)
## MANUAL
@ -35,6 +42,6 @@ Run `man git-secret-reveal` to see this note.
\fBgit\-secret tell\fR receives one or more email addresses as an input, searches for the \fBgpg\fR\-key in the \fBgpg\fR\fBhomedir\fR by these emails, then imports the corresponding public key into \fBgit\-secret\fR\'s inner keychain\. From this moment this person can encrypt new files with the keyring which contains their key, but they cannot decrypt the old files, which were already encrypted without their key\. The files should be re\-encrypted with the new keyring by someone who has the unencrypted files\.
.
.P
Because \fBgit\-secret tell\fR works with only email addresses, it will exit with an error if you have multiple keys in your keychain with specified email addresses, or if one of the specified emails is already associated with a key in the git\-secret keychain\.
Because \fBgit\-secret tell\fR works with only email addresses, it will exit with an error if you have multiple keys in your keychain with specified email addresses, or if one of the specified emails is already associated with a key in the \fBgit\-secret\fR keychain\.
.
.P
Versions of \fBgit\-secret tell\fR after 0\.3\.2 will warn about keys that are expired, revoked, or otherwise invalid, and also if multiple keys are found for a single email address\.
Versions of \fBgit\-secret tell\fR after \fB0\.3\.2\fR will warn about keys that are expired, revoked, or otherwise invalid, and also if multiple keys are found for a single email address\.
.
.P
\fBDo not manually import secret keys into \fBgit\-secret\fR\fR\. It won\'t work with imported secret keys anyway\.
\fBgit\-secret\fR\- bash tool to store private data inside a git repo\.
@ -174,33 +174,36 @@ The settings available to be changed are:
\fB$SECRETS_GPG_COMMAND\fR\- sets the \fBgpg\fR alternatives, defaults to \fBgpg\fR\. It can be changed to \fBgpg\fR, \fBgpg2\fR, \fBpgp\fR, \fB/usr/local/gpg\fR or any other value\. After doing so rerun the tests to be sure that it won\'t break anything\. Tested to be working with: \fBgpg\fR, \fBgpg2\fR\.
.
.IP"\(bu"4
\fB$SECRETS_GPG_ARMOR\fR\- sets the \fBgpg\fR\fB\-\-armor\fR mode \fIhttps://www\.gnupg\.org/gph/en/manual/r1290\.html\fR\. Can be set to \fB1\fR to store secrets file as text\. By default is \fB0\fR and store files as binaries\.
.
.IP"\(bu"4
\fB$SECRETS_EXTENSION\fR\- sets the secret files extension, defaults to \fB\.secret\fR\. It can be changed to any valid file extension\.
.
.IP"\(bu"4
\fB$SECRETS_DIR\fR\- sets the directory where git\-secret stores its files, defaults to \.gitsecret\. It can be changed to any valid directory name\.
\fB$SECRETS_DIR\fR\- sets the directory where \fBgit\-secret\fR stores its files, defaults to \fB\.gitsecret\fR\. It can be changed to any valid directory name\.
.
.IP"\(bu"4
\fB$SECRETS_PINENTRY\fR\- allows user to specify a setting for \fBgpg\fR\'s \-\-pinentry option\. See \fBgpg\fR docs for details about gpg\'s \-\-pinentry option\.
\fB$SECRETS_PINENTRY\fR\- allows user to specify a setting for \fBgpg\fR\'s \fB\-\-pinentry\fR option\. See \fBgpg\fR docs \fIhttps://github\.com/gpg/pinentry\fRfor details about gpg\'s \fB\-\-pinentry\fR option\.
.
.IP""0
.
.SH"The <code>\.gitsecret</code> folder (can be overridden with SECRETS_DIR)"
.SH"The <code>\.gitsecret</code> folder (can be overridden with <code>SECRETS_DIR</code>)"
This folder contains information about the files encrypted by git\-secret, and about which public/private key sets can access the encrypted data\.
.
.P
You can change the name of this directory using the SECRETS_DIR environment variable\.
.
.P
Use the various \'git\-secret\' commands to manipulate the files in \fB\.gitsecret\fR, you should not change the data in these files directly\.
Use the various \fBgit\-secret\fR commands to manipulate the files in \fB\.gitsecret\fR, you should not change the data in these files directly\.
.
.P
Exactly which files exist in the \fB\.gitsecret\fR folder and what their contents are vary slightly across different versions of gpg\. Thus it is best to use git\-secret with the same version of gpg being used by all users\. This can be forced using SECRETS_GPG_COMMAND environment variable\.
Exactly which files exist in the \fB\.gitsecret\fR folder and what their contents are vary slightly across different versions of gpg\. Thus it is best to use git\-secret with the same version of gpg being used by all users\. This can be forced using \fBSECRETS_GPG_COMMAND\fR environment variable\.
.
.P
Specifically, there is an issue between gpg version 2\.1\.20 and later versions which can cause problems reading and writing keyring files between systems (this shows up in errors like \'gpg: skipped packet of type 12 in keybox\')\.
Specifically, there is an issue between \fBgpg\fR version 2\.1\.20 and later versions which can cause problems reading and writing keyring files between systems (this shows up in errors like \'gpg: skipped packet of type 12 in keybox\')\.
.
.P
The git\-secret internal data is separated into two directories:
The \fBgit\-secret\fR internal data is separated into two directories:
.
.SS"<code>\.gitsecret/paths</code>"
This directory currently contains only the file \fBmapping\.cfg\fR, which lists all the files your storing encrypted\. In other words, the path mappings: what files are tracked to be hidden and revealed\.
@ -119,41 +119,40 @@ See below, or the man page of `git-secret` for an explanation of the environment
The settings available to be changed are:
* `$SECRETS_VERBOSE` - sets the verbose flag to on for all `git-secret` commands; is identical
to using `-v` on each command that supports it.
* `$SECRETS_VERBOSE` - sets the verbose flag to on for all `git-secret` commands; is identical to using `-v` on each command that supports it.
* `$SECRETS_GPG_COMMAND` - sets the `gpg` alternatives, defaults to `gpg`.
It can be changed to `gpg`, `gpg2`, `pgp`, `/usr/local/gpg` or any other value.
After doing so rerun the tests to be sure that it won't break anything. Tested to be working with: `gpg`, `gpg2`.
* `$SECRETS_GPG_ARMOR` - sets the `gpg` [`--armor` mode](https://www.gnupg.org/gph/en/manual/r1290.html). Can be set to `1` to store secrets file as text. By default is `0` and store files as binaries.
* `$SECRETS_EXTENSION` - sets the secret files extension, defaults to `.secret`. It can be changed to any valid file extension.
* `$SECRETS_DIR` - sets the directory where git-secret stores its files, defaults to .gitsecret.
It can be changed to any valid directory name.
* `$SECRETS_DIR` - sets the directory where `git-secret` stores its files, defaults to `.gitsecret`. It can be changed to any valid directory name.
* `$SECRETS_PINENTRY` - allows user to specify a setting for `gpg`'s --pinentry option.
See `gpg` docs for details about gpg's --pinentry option.
* `$SECRETS_PINENTRY` - allows user to specify a setting for `gpg`'s `--pinentry` option. See [`gpg` docs](https://github.com/gpg/pinentry) for details about gpg's `--pinentry` option.
## The `.gitsecret` folder (can be overridden with SECRETS_DIR)
## The `.gitsecret` folder (can be overridden with `SECRETS_DIR`)
This folder contains information about the files encrypted by git-secret,
and about which public/private key sets can access the encrypted data.
You can change the name of this directory using the SECRETS_DIR environment variable.
Use the various 'git-secret' commands to manipulate the files in `.gitsecret`,
Use the various `git-secret` commands to manipulate the files in `.gitsecret`,
you should not change the data in these files directly.
Exactly which files exist in the `.gitsecret` folder and what their contents are
vary slightly across different versions of gpg. Thus it is best to use
git-secret with the same version of gpg being used by all users.
This can be forced using SECRETS_GPG_COMMAND environment variable.
This can be forced using `SECRETS_GPG_COMMAND` environment variable.
Specifically, there is an issue between gpg version 2.1.20 and later versions
Specifically, there is an issue between `gpg` version 2.1.20 and later versions
which can cause problems reading and writing keyring files between systems
(this shows up in errors like 'gpg: skipped packet of type 12 in keybox').
The git-secret internal data is separated into two directories:
The `git-secret` internal data is separated into two directories:
Josh Rabinowitz
3 years ago
committed by
GitHub