mirror of
https://github.com/sobolevn/git-secret
synced 2024-10-31 21:20:29 +00:00
Removes old posts, fixes installation docs
This commit is contained in:
parent
d49ad2a013
commit
295a4eeb4f
@ -1,46 +0,0 @@
|
||||
---
|
||||
layout: post
|
||||
title: 'git-secret-add'
|
||||
date: 2021-05-05 15:37:26 +0300
|
||||
permalink: git-secret-add
|
||||
categories: command
|
||||
---
|
||||
git-secret-add - starts to track added files.
|
||||
=============================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret add [-v] [-i] <pathspec>...
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-add` adds a filepath(s) into `.gitsecret/paths/mapping.cfg`
|
||||
and ensures the filepath is mentioned .gitignore.
|
||||
|
||||
When adding files to encrypt, `git-secret-add` (as of 0.2.6) will ensure that they are ignored by `git` by mentioning
|
||||
them in .gitignore, since they must be secure and not be committed into the remote repository unencrypted.
|
||||
|
||||
If there's no users in the `git-secret`'s keyring, when adding a file, an exception will be raised.
|
||||
|
||||
Use the `git secret add` command to add filenames to this file.
|
||||
It is not recommended to add filenames directly into `.gitsecret/paths/mapping.cfg`.
|
||||
|
||||
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
|
||||
folder using the SECRETS_DIR environment variable.
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-v - verbose, shows extra information.
|
||||
-i - does nothing, adding paths to .gitignore is now the default behavior.
|
||||
-h - shows this help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-add` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell),
|
||||
[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal)
|
@ -1,39 +0,0 @@
|
||||
---
|
||||
layout: post
|
||||
title: 'git-secret-cat'
|
||||
date: 2021-05-05 15:37:26 +0300
|
||||
permalink: git-secret-cat
|
||||
categories: command
|
||||
---
|
||||
git-secret-cat - decrypts files passed on command line to stdout
|
||||
=============================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret cat [-d dir] [-p password] filename [filenames]
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-cat` - Outputs to stdout the contents of the files named on the command line.
|
||||
As with `git-secret-reveal`, you'll need to have a public/private keypair that is allowed to
|
||||
decrypt this repo.
|
||||
|
||||
Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See
|
||||
(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-d - specifies `--homedir` option for the `gpg`, basically use this option if you store your keys in a custom location.
|
||||
-p - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
|
||||
-h - shows help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-cat` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-cat)
|
@ -1,42 +0,0 @@
|
||||
---
|
||||
layout: post
|
||||
title: 'git-secret-changes'
|
||||
date: 2021-05-05 15:37:26 +0300
|
||||
permalink: git-secret-changes
|
||||
categories: command
|
||||
---
|
||||
git-secret-changes - view diff of the hidden files.
|
||||
===================================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret changes [-h] [-d dir] [-p password] [pathspec]...
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-changes` - shows changes between the current version of hidden files and the ones already committed.
|
||||
You can provide any number of hidden files to this command as arguments, and it will show changes for these files only.
|
||||
Note that files must be specified by their encrypted names, typically `filename.yml.secret`.
|
||||
If no arguments are provided, information about all hidden files will be shown.
|
||||
|
||||
Note also that this command can be affected by the `SECRETS_PINENTRY` environment variable. See
|
||||
(See [git-secret(7)](http://git-secret.io/git-secret) for information using `SECRETS_PINENTRY`.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-d - specifies `--homedir` option for the `gpg`. Use this option if your store your keys in a custom location.
|
||||
-p - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
|
||||
-h - shows help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-changes` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-tell(1)](http://git-secret.io/git-secret-tell),
|
||||
[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),
|
||||
[git-secret-cat(1)](http://git-secret.io/git-secret-cat)
|
@ -1,37 +0,0 @@
|
||||
---
|
||||
layout: post
|
||||
title: 'git-secret-clean'
|
||||
date: 2021-05-05 15:37:26 +0300
|
||||
permalink: git-secret-clean
|
||||
categories: command
|
||||
---
|
||||
git-secret-clean - removes all the hidden files.
|
||||
================================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret clean [-v]
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-clean` deletes all the encrypted files.
|
||||
Verbose output is enabled with the -v option, in which case the program prints which files are deleted.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-v - verbose mode, shows which files are deleted.
|
||||
-h - shows this help.
|
||||
|
||||
You can also enable verbosity using the SECRETS_VERBOSE environment variable,
|
||||
as documented at [git-secret(7)](http://git-secret.io/)
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-clean` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-whoknows(1)](http://git-secret.io/git-secret-whoknows), [git-secret-add(1)](http://git-secret.io/git-secret-add),
|
||||
[git-secret-remove(1)](http://git-secret.io/git-secret-remove), [git-secret-killperson(1)](http://git-secret.io/git-secret-killperson)
|
@ -1,69 +0,0 @@
|
||||
---
|
||||
layout: post
|
||||
title: 'git-secret-hide'
|
||||
date: 2021-05-05 15:37:26 +0300
|
||||
permalink: git-secret-hide
|
||||
categories: command
|
||||
---
|
||||
git-secret-hide - encrypts all added files with the inner keyring.
|
||||
==================================================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret hide [-c] [-F] [-P] [-v] [-d] [-m]
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-hide` creates an encrypted version (typically called `filename.txt.secret`)
|
||||
of each file added by `git-secret-add` command.
|
||||
Now anyone enabled via 'git secret tell' can can decrypt these files. Under the hood,
|
||||
`git-secret` uses the keyring in `.gitsecret/keys` and user's secret keys to decrypt the files.
|
||||
|
||||
It is recommended to encrypt (or re-encrypt) all the files in a git-secret repo each
|
||||
time `git secret hide` is run.
|
||||
|
||||
Otherwise the keychain (the one stored in `.gitsecret/keys/*.gpg`),
|
||||
may have changed since the last time the files were encrypted, and it's possible
|
||||
to create a state where the users in the output of `git secret whoknows`
|
||||
may not be able to decrypt the some files in the repo, or may be able decrypt files
|
||||
they're not supposed to be able to.
|
||||
|
||||
In other words, unless you re-encrypt all the files in a repo each time you 'hide' any,
|
||||
it's possible to make it so some files can no longer be decrypted by users who should be
|
||||
(and would appear) able to decrypt them, and vice-versa.
|
||||
|
||||
If you know what you are doing and wish to encrypt or re-encrypt only a subset of the files
|
||||
even after reading the above paragraphs, you can use the -F or -m option to only encrypted
|
||||
a subset of files. The -F option forces `git secret hide` to skip any hidden files
|
||||
where the unencrypted versions aren't present. The -m option skips any hidden files that have
|
||||
not be modified since the last time they were encrypted.
|
||||
|
||||
Also, it is possible to modify the names of the encrypted files by setting `SECRETS_EXTENSION` variable.
|
||||
|
||||
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
|
||||
folder using the SECRETS_DIR environment variable.
|
||||
|
||||
You can also enable verbosity using the SECRETS_VERBOSE environment variable,
|
||||
as documented at [git-secret(7)](http://git-secret.io/)
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-v - verbose, shows extra information.
|
||||
-c - deletes encrypted files before creating new ones.
|
||||
-F - forces hide to continue if a file to encrypt is missing.
|
||||
-P - preserve permissions of unencrypted file in encrypted file.
|
||||
-d - deletes unencrypted files after encryption.
|
||||
-m - encrypt files only when modified.
|
||||
-h - shows help.
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-hide` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell),
|
||||
[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),
|
||||
[git-secret-cat(1)](http://git-secret.io/git-secret-cat)
|
@ -1,42 +0,0 @@
|
||||
---
|
||||
layout: post
|
||||
title: 'git-secret-init'
|
||||
date: 2021-05-05 15:37:26 +0300
|
||||
permalink: git-secret-init
|
||||
categories: command
|
||||
---
|
||||
git-secret-init - initializes git-secret repository.
|
||||
====================================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret init
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-init` should be run inside a `git` repo to set up the .gitsecret directory and initialize the repo for git-secret.
|
||||
Until repository is initialized with `git secret init`, all other `git-secret` commands are unavailable.
|
||||
|
||||
If a .gitsecret directory already exists, `git-secret-init` exits without making any changes.
|
||||
Otherwise, a .gitsecret directory is created with appropriate sub-directories,
|
||||
and patterns to ignore git-secret's `random_seed_file`
|
||||
and not ignore `.secret` files are added to `.gitignore`.
|
||||
|
||||
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
|
||||
folder with the SECRETS_DIR environment variable, and changing the extension git-secret uses for secret files
|
||||
with the SECRETS_EXTENSION environment variable.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-h - shows this help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-init` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-usage(1)](http://git-secret.io/git-secret-usage), [git-secret-tell(1)](http://git-secret.io/git-secret-tell)
|
@ -1,35 +0,0 @@
|
||||
---
|
||||
layout: post
|
||||
title: 'git-secret-killperson'
|
||||
date: 2021-05-05 15:37:26 +0300
|
||||
permalink: git-secret-killperson
|
||||
categories: command
|
||||
---
|
||||
git-secret-killperson - deletes key identified by an email from the inner keyring.
|
||||
==================================================================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret killperson <emails>...
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
This command removes the keys associated with the selected email addresses from the keyring.
|
||||
If you remove a keypair's access with `git-secret-killperson`, and run `git-secret-reveal` and `git-secret-hide -r`,
|
||||
it will be impossible for given users to decrypt the hidden files.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-h - shows this help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-killperson` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-remove(1)](http://git-secret.io/git-secret-remove),
|
||||
[git-secret-clean(1)](http://git-secret.io/git-secret-clean)
|
@ -1,37 +0,0 @@
|
||||
---
|
||||
layout: post
|
||||
title: 'git-secret-list'
|
||||
date: 2021-05-05 15:37:26 +0300
|
||||
permalink: git-secret-list
|
||||
categories: command
|
||||
---
|
||||
git-secret-list - prints all the added files.
|
||||
=============================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret list
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-list` prints all the currently added tracked files from the `.gitsecret/paths/mapping.cfg`.
|
||||
|
||||
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
|
||||
folder using the SECRETS_DIR environment variable.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-h - shows this help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-list` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-whoknows(1)](http://git-secret.io/git-secret-whoknows), [git-secret-add(1)](http://git-secret.io/git-secret-add),
|
||||
[git-secret-remove(1)](http://git-secret.io/git-secret-remove), [git-secret-hide(1)](http://git-secret.io/git-secret-hide),
|
||||
[git-secret-reveal(1)](http://git-secret.io/git-secret-reveal), [git-secret-cat(1)](http://git-secret.io/git-secret-cat)
|
@ -1,39 +0,0 @@
|
||||
---
|
||||
layout: post
|
||||
title: 'git-secret-remove'
|
||||
date: 2021-05-05 15:37:26 +0300
|
||||
permalink: git-secret-remove
|
||||
categories: command
|
||||
---
|
||||
git-secret-remove - removes files from index.
|
||||
=============================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret remove [-c] <pathspec>...
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-remove` deletes files from `.gitsecret/paths/mapping.cfg`,
|
||||
so they won't be encrypted or decrypted in the future.
|
||||
There's also a -c option to delete existing encrypted versions of the files provided.
|
||||
|
||||
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
|
||||
folder using the SECRETS_DIR environment variable.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-c - deletes existing real encrypted files.
|
||||
-h - shows help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-remove` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-add(1)](http://git-secret.io/git-secret-add), [git-secret-clean(1)](http://git-secret.io/git-secret-clean),
|
||||
[git-secret-killperson(1)](http://git-secret.io/git-secret-killperson)
|
@ -1,47 +0,0 @@
|
||||
---
|
||||
layout: post
|
||||
title: 'git-secret-reveal'
|
||||
date: 2021-05-05 15:37:26 +0300
|
||||
permalink: git-secret-reveal
|
||||
categories: command
|
||||
---
|
||||
git-secret-reveal - decrypts all added files.
|
||||
=============================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret reveal [-f] [-F] [-P] [-v] [-d dir] [-p password] [pathspec]...
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-reveal` - decrypts all the files in `.gitsecret/paths/mapping.cfg`,
|
||||
or the passed `pathspec`s.
|
||||
You will need to have imported the paired secret-key with one of the
|
||||
public-keys which were used in the encryption.
|
||||
Under the hood, this uses the `gpg --decrypt` command.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-f - forces gpg to overwrite existing files without prompt.
|
||||
-F - forces reveal to continue even if a file fails to decrypt.
|
||||
-d - specifies `--homedir` option for the `gpg`, basically use this option if you store your keys in a custom location.
|
||||
-v - verbose, shows extra information.
|
||||
-p - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
|
||||
-P - preserve permissions of encrypted file in unencrypted file.
|
||||
-h - shows help.
|
||||
|
||||
(See [git-secret(7)](http://git-secret.io/git-secret) for information about renaming the .gitsecret
|
||||
folder using the SECRETS_DIR environment variable.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-reveal` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-cat(1)](http://git-secret.io/git-secret-cat),
|
||||
[git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-add(1)](http://git-secret.io/git-secret-add),
|
||||
[git-secret-hide(1)](http://git-secret.io/git-secret-hide)
|
@ -1,48 +0,0 @@
|
||||
---
|
||||
layout: post
|
||||
title: 'git-secret-tell'
|
||||
date: 2021-05-05 15:37:26 +0300
|
||||
permalink: git-secret-tell
|
||||
categories: command
|
||||
---
|
||||
git-secret-tell - adds a person, who can access private data.
|
||||
===============================================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret tell [-m] [-d dir] [emails]...
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret tell` receives one or more email addresses as an input, searches for the `gpg`-key in the `gpg`
|
||||
`homedir` by these emails, then imports the corresponding public key into `git-secret`'s inner keychain.
|
||||
From this moment this person can encrypt new files with the keyring which contains their key,
|
||||
but they cannot decrypt the old files, which were already encrypted without their key.
|
||||
The files should be re-encrypted with the new keyring by someone who has the unencrypted files.
|
||||
|
||||
Because `git-secret tell` works with only email addresses, it will exit with an error if you have
|
||||
multiple keys in your keychain with specified email addresses, or if one of the specified emails
|
||||
is already associated with a key in the git-secret keychain.
|
||||
|
||||
Versions of `git-secret tell` after 0.3.2 will warn about keys that are expired, revoked, or otherwise invalid,
|
||||
and also if multiple keys are found for a single email address.
|
||||
|
||||
**Do not manually import secret keys into `git-secret`**. It won't work with imported secret keys anyway.
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-m - takes your current `git config user.email` as an identifier for the key.
|
||||
-d - specifies `--homedir` option for the `gpg`, basically use this option if your store your keys in a custom location.
|
||||
-h - shows help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-tell` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-add(1)](http://git-secret.io/git-secret-add),
|
||||
[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),
|
||||
[git-secret-cat(1)](http://git-secret.io/git-secret-cat), [git-secret-killperson(1)](http://git-secret.io/git-secret-killperson)
|
@ -1,34 +0,0 @@
|
||||
---
|
||||
layout: post
|
||||
title: 'git-secret-usage'
|
||||
date: 2021-05-05 15:37:26 +0300
|
||||
permalink: git-secret-usage
|
||||
categories: command
|
||||
---
|
||||
git-secret-usage - prints all the available commands.
|
||||
=====================================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret usage
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-usage` is used to print all the available commands.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-h - shows this help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-usage` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-add(1)](http://git-secret.io/git-secret-add),
|
||||
[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),
|
||||
[git-secret-cat(1)](http://git-secret.io/git-secret-cat)
|
@ -1,35 +0,0 @@
|
||||
---
|
||||
layout: post
|
||||
title: 'git-secret-whoknows'
|
||||
date: 2021-05-05 15:37:26 +0300
|
||||
permalink: git-secret-whoknows
|
||||
categories: command
|
||||
---
|
||||
git-secret-whoknows - prints email-labels for each key in the keyring.
|
||||
======================================================================
|
||||
|
||||
## SYNOPSIS
|
||||
|
||||
git secret whoknows
|
||||
|
||||
|
||||
## DESCRIPTION
|
||||
`git-secret-whoknows` prints list of email addresses whose keys are allowed to access the secrets in this repo.
|
||||
|
||||
|
||||
## OPTIONS
|
||||
|
||||
-l - 'long' output, shows key expiration dates.
|
||||
-h - shows this help.
|
||||
|
||||
|
||||
## MANUAL
|
||||
|
||||
Run `man git-secret-whoknows` to see this note.
|
||||
|
||||
|
||||
## SEE ALSO
|
||||
|
||||
[git-secret-list(1)](http://git-secret.io/git-secret-list), [git-secret-tell(1)](http://git-secret.io/git-secret-tell),
|
||||
[git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal),
|
||||
[git-secret-cat(1)](http://git-secret.io/git-secret-cat)
|
@ -1,180 +0,0 @@
|
||||
---
|
||||
layout: post
|
||||
title: 'git-secret'
|
||||
date: 2021-05-05 15:37:26 +0300
|
||||
permalink: git-secret
|
||||
categories: usage
|
||||
---
|
||||
git-secret - bash tool to store private data inside a git repo.
|
||||
=============================================
|
||||
|
||||
## Usage: Setting up git-secret in a repository
|
||||
|
||||
These steps cover the basic process of using `git-secret`:
|
||||
|
||||
0. Before starting, [make sure you have created a `gpg` RSA key-pair](#using-gpg): a public and a secret key identified by your email address.
|
||||
|
||||
1. Begin with an existing or new git repository. You'll use the 'git secret' commands to add the keyrings and information
|
||||
to make `git-secret` hide and reveal files in this repository.
|
||||
|
||||
2. Initialize the `git-secret` repository by running `git secret init` command. The `.gitsecret/` folder will be created.
|
||||
**Note** all the contents of the `.gitsecret/` folder should be checked in, **/except/** the `random_seed` file.
|
||||
In other words, of all the files in `.gitsecret/`, only the `random_seed` file should be mentioned in your `.gitignore` file.
|
||||
By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file.
|
||||
|
||||
3. Add the first user to the `git-secret` repo keyring by running `git secret tell your@gpg.email`.
|
||||
|
||||
4. Now it's time to add files you wish to encrypt inside the `git-secret` repository.
|
||||
This can be done by running `git secret add <filenames...>` command. Make sure these files are ignored by mentions in
|
||||
`.gitignore`, otherwise `git-secret` won't allow you to add them, as these files could be stored unencrypted. In the default configuration, `git-secret add` will automatically add the unencrypted versions of the files to `.gitignore` for you.
|
||||
|
||||
5. When done, run `git secret hide` to encrypt all files which you have added by the `git secret add` command.
|
||||
The data will be encrypted with the public-keys described by the `git secret tell` command.
|
||||
After using `git secret hide` to encrypt your data, it is safe to commit your changes.
|
||||
**NOTE:** It's recommended to add the `git secret hide` command to your `pre-commit` hook, so you won't miss any changes.
|
||||
|
||||
6. Later you can decrypt files with the `git secret reveal` command, or just print their contents to stdout with the
|
||||
`git secret cat` command. If you used a password on your GPG key (always recommended), it will ask you for your password.
|
||||
And you're done!
|
||||
|
||||
### Usage: Adding someone to a repository using git-secret
|
||||
|
||||
1. [Get their `gpg` public-key](#using-gpg). **You won't need their secret key.**
|
||||
|
||||
2. Import this key into your `gpg` keyring (in `~/.gnupg` or similar) by running `gpg --import KEY_NAME.txt`
|
||||
|
||||
3. Now add this person to your secrets repo by running `git secret tell persons@email.id`
|
||||
(this will be the email address associated with the public key)
|
||||
|
||||
4. The newly added user cannot yet read the encrypted files. Now, re-encrypt the files using
|
||||
`git secret reveal; git secret hide -d`, and then commit and push the newly encrypted files.
|
||||
(The -d options deletes the unencrypted file after re-encrypting it).
|
||||
Now the newly added user will be able to decrypt the files in the repo using `git-secret reveal`.
|
||||
|
||||
Note that it is possible to add yourself to the git-secret repo without decrypting existing files.
|
||||
It will be possible to decrypt them after re-encrypting them with the new keyring. So, if you don't
|
||||
want unexpected keys added, you can configure some server-side security policy with the `pre-receive` hook.
|
||||
|
||||
### Using gpg
|
||||
|
||||
You can follow a quick `gpg` tutorial at [devdungeon](https://www.devdungeon.com/content/gpg-tutorial). Here are the most useful commands to get started:
|
||||
|
||||
To generate a RSA key-pair, run:
|
||||
|
||||
```shell
|
||||
gpg --gen-key
|
||||
```
|
||||
|
||||
To export your public key, run:
|
||||
|
||||
```shell
|
||||
gpg --export your.email@address.com --armor > public-key.gpg
|
||||
```
|
||||
|
||||
To import the public key of someone else (to share the secret with them for instance), run:
|
||||
|
||||
```shell
|
||||
gpg --import public-key.gpg
|
||||
```
|
||||
|
||||
To make sure you get the original public keys of the indicated persons, be sure to use a secure channel to transfer it, or use a service you trust, preferably one that uses encryption such as Keybase, to retrieve their public key. Otherwise you could grant the wrong person access to your secrets by mistake!
|
||||
|
||||
### Using git-secret for Continuous Integration / Continuous Deployment (CI/CD)
|
||||
|
||||
When using `git-secret` for CI/CD, you get the benefit that any deployment is necessarily done with the correct configuration, since it is collocated
|
||||
with the changes in your code.
|
||||
|
||||
One way of doing it is the following:
|
||||
|
||||
1. [create a gpg key](#using-gpg) for your CI/CD environment. You can chose any name and email address you want: for instance `MyApp CodeShip <myapp@codeship.com>`
|
||||
if your app is called MyApp and your CI/CD provider is CodeShip. It is easier not to define a password for that key.
|
||||
2. run `gpg --export-secret-key myapp@codeship.com --armor` to get your private key value
|
||||
3. Create an env var on your CI/CD server `GPG_PRIVATE_KEY` and assign it the private key value.
|
||||
4. Then write your Continuous Deployment build script. For instance:
|
||||
|
||||
```shell
|
||||
# Install git-secret (https://git-secret.io/installation), for instance, for debian:
|
||||
echo "deb https://dl.bintray.com/sobolevn/deb git-secret main" | sudo tee -a /etc/apt/sources.list
|
||||
wget -qO - https://api.bintray.com/users/sobolevn/keys/gpg/public.key | sudo apt-key add -
|
||||
sudo apt-get update && sudo apt-get install git-secret
|
||||
# Create private key file
|
||||
echo $GPG_PRIVATE_KEY > ./private_key.gpg
|
||||
# Import private key
|
||||
gpg --import ./private_key.gpg
|
||||
# Reveal secrets
|
||||
git secret reveal
|
||||
# carry on with your build script, secret files are available ...
|
||||
```
|
||||
|
||||
Note: your CI/CD might not allow you to create a multiline value. In that case, you can export it on one line with
|
||||
|
||||
```shell
|
||||
gpg --export-secret-key myapp@codeship.com --armor | tr '\n' ','
|
||||
```
|
||||
|
||||
You can then create your private key file with:
|
||||
|
||||
```shell
|
||||
echo $GPG_PRIVATE_KEY | tr ',' '\n' > ./private_key.gpg
|
||||
```
|
||||
|
||||
## Environment Variables and Configuration
|
||||
|
||||
You can configure the version of `gpg` used, or the extension your encrypted files use, to suit your workflow better.
|
||||
To do so, just set the required variable to the value you need.
|
||||
This can be done in your shell environment file or with each `git-secret` command.
|
||||
See below, or the man page of `git-secret` for an explanation of the environment variables `git-secret` uses.
|
||||
|
||||
The settings available to be changed are:
|
||||
|
||||
* `$SECRETS_VERBOSE` - sets the verbose flag to on for all `git-secret` commands; is identical
|
||||
to using `-v` on each command that supports it.
|
||||
|
||||
* `$SECRETS_GPG_COMMAND` - sets the `gpg` alternatives, defaults to `gpg`.
|
||||
It can be changed to `gpg`, `gpg2`, `pgp`, `/usr/local/gpg` or any other value.
|
||||
After doing so rerun the tests to be sure that it won't break anything. Tested to be working with: `gpg`, `gpg2`.
|
||||
|
||||
* `$SECRETS_EXTENSION` - sets the secret files extension, defaults to `.secret`. It can be changed to any valid file extension.
|
||||
|
||||
* `$SECRETS_DIR` - sets the directory where git-secret stores its files, defaults to .gitsecret.
|
||||
It can be changed to any valid directory name.
|
||||
|
||||
* `$SECRETS_PINENTRY` - allows user to specify a setting for `gpg`'s --pinentry option.
|
||||
See `gpg` docs for details about gpg's --pinentry option.
|
||||
|
||||
## The `.gitsecret` folder (can be overridden with SECRETS_DIR)
|
||||
|
||||
This folder contains information about the files encrypted by git-secret,
|
||||
and about which public/private key sets can access the encrypted data.
|
||||
|
||||
You can change the name of this directory using the SECRETS_DIR environment variable.
|
||||
|
||||
Use the various 'git secret' commands to manipulate the files in `.gitsecret`,
|
||||
you should not change the data in these files directly.
|
||||
|
||||
Exactly which files exist in the `.gitsecret` folder and what their contents are
|
||||
vary slightly across different versions of gpg. Thus it is best to use
|
||||
git-secret with the same version of gpg being used by all users.
|
||||
This can be forced using SECRETS_GPG_COMMAND environment variable.
|
||||
|
||||
Specifically, there is an issue between gpg version 2.1.20 and later versions
|
||||
which can cause problems reading and writing keyring files between systems
|
||||
(this shows up in errors like 'gpg: skipped packet of type 12 in keybox').
|
||||
|
||||
The git-secret internal data is separated into two directories:
|
||||
|
||||
### `.gitsecret/paths`
|
||||
|
||||
This directory currently contains only the file `mapping.cfg`, which lists all the files your storing encrypted.
|
||||
In other words, the path mappings: what files are tracked to be hidden and revealed.
|
||||
|
||||
All the other internal data is stored in the directory:
|
||||
|
||||
### `.gitsecret/keys`
|
||||
|
||||
This directory contains data used by git-secret and PGP to allow and maintain the correct encryption and access rights for the permitted parties.
|
||||
|
||||
Generally speaking, all the files in this directory *except* `random_seed` should be checked into your repo.
|
||||
By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file.
|
||||
|
||||
Again, you can change the name of this directory using the SECRETS_DIR environment variable.
|
Binary file not shown.
@ -86,10 +86,9 @@ if your app is called MyApp and your CI/CD provider is CodeShip. It is easier no
|
||||
4. Then write your Continuous Deployment build script. For instance:
|
||||
|
||||
```shell
|
||||
# Install git-secret (https://git-secret.io/installation), for instance, for debian:
|
||||
echo "deb https://dl.bintray.com/sobolevn/deb git-secret main" | sudo tee -a /etc/apt/sources.list
|
||||
wget -qO - https://api.bintray.com/users/sobolevn/keys/gpg/public.key | sudo apt-key add -
|
||||
sudo apt-get update && sudo apt-get install git-secret
|
||||
# As the first step: install git-secret,
|
||||
# see: https://git-secret.io/installation
|
||||
|
||||
# Create private key file
|
||||
echo $GPG_PRIVATE_KEY > ./private_key.gpg
|
||||
# Import private key
|
||||
|
Loading…
Reference in New Issue
Block a user