\fBgit\-secret\-add\fR adds a filepath(s) into \fB\.gitsecret/paths/mapping\.cfg\fR and ensures the filepath is mentioned \fB\.gitignore\fR\.
\fBgit secret add\fR\- tells \fBgit secret\fR which files hold secrets, and adds filepath(s) into \fB\.gitsecret/paths/mapping\.cfg\fR\. (It is not recommended to alter \fB\.gitsecret/paths/mapping\.cfg\fR manually\.)
.
.P
When adding files to encrypt, \fBgit\-secret\-add\fR (as of 0\.2\.6) will ensure that they are ignored by \fBgit\fR by mentioning them in \fB\.gitignore\fR, since they must be secure and not be committed into the remote repository unencrypted\.
As of 0\.2\.6, this command also ensures the filepath is mentioned \fB\.gitignore\fR as the contents are now considered secret and should not be committed into the repository unencrypted\.
.
.P
If there\'s no users in the \fBgit\-secret\fR\'s keyring, when adding a file, an exception will be raised\.
.
.P
Use the \fBgit secret add\fR command to add filenames to this file\. It is not recommended to add filenames directly into \fB\.gitsecret/paths/mapping\.cfg\fR\.
The \fBadd\fR action will fail unless there are already users in \fBgit\-secret\fR\'s keyring\.
.
.P
(See git\-secret(7) \fIhttps://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the SECRETS_DIR environment variable\.
@ -40,7 +37,7 @@ Use the \fBgit secret add\fR command to add filenames to this file\. It is not r
.fi
.
.SH"MANUAL"
Run \fBman git\-secret\-add\fR to see this note\.
Run \fBman git\-secret\-add\fR to see this document\.
\fBgit\-secret\-cat\fR\- Outputs to stdout the contents of the files named on the command line\. As with \fBgit\-secret\-reveal\fR, you\'ll need to have a public/private keypair that is allowed to decrypt this repo\.
\fBgit\-secret\-cat\fR\- Outputs the decrypted contents of the named files to stdout\.
.
.P
Note also that this command can be affected by the \fBSECRETS_PINENTRY\fR environment variable\. See (See git\-secret(7) \fIhttps://git\-secret\.io/git\-secret\fR for information using \fBSECRETS_PINENTRY\fR\.
As with \fBgit\-secret\-reveal\fR, you\'ll need to have the private key for one of the emails allowed to decrypt this repo in your personal keyring\.
.
.P
Note this command can be affected by the \fBSECRETS_PINENTRY\fR environment variable\. See (See git\-secret(7) \fIhttps://git\-secret\.io/git\-secret\fR for information using \fBSECRETS_PINENTRY\fR\.
.
.SH"OPTIONS"
.
.nf
\-d \- specifies `\-\-homedir` option for the `gpg`, basically use this option if you store your keys in a custom location\.
\-d \- specifies `\-\-homedir` option for the `gpg`, use this option if you store your keys in a custom location\.
\-p \- specifies password for noinput mode, adds `\-\-passphrase` option for `gpg`\.
\-h \- shows help\.
.
.fi
.
.SH"MANUAL"
Run \fBman git\-secret\-cat\fR to see this note\.
Run \fBman git\-secret\-cat\fR to see this document\.
\fBgit\-secret\-changes\fR\- shows changes between the current version of hidden files and the ones already committed\. You can provide any number of hidden files to this command as arguments, and it will show changes for these files only\. Note that files must be specified by their encrypted names, typically \fBfilename\.yml\.secret\fR\. If no arguments are provided, information about all hidden files will be shown\.
\fBgit\-secret\-changes\fR\- show changes between the current versions of secret files and encrypted versions\.
.
.P
Note also that this command can be affected by the \fBSECRETS_PINENTRY\fR environment variable\. See (See git\-secret(7) \fIhttps://git\-secret\.io/git\-secret\fR for information using \fBSECRETS_PINENTRY\fR\.
If no filenames are provided, changes to all hidden files will be shown\. Alternately, provide any number of hidden files to this command as arguments, and it will show changes for those files\.
.
.P
Note files must be specified by their unencrypted names, without the \fB\.secret\fR suffix, (or whatever is specified by the \fBSECRETS_EXTENSION\fR environment variable)\.
.
.P
Note also this command can be affected by the \fBSECRETS_PINENTRY\fR environment variable\. See (See git\-secret(7) \fIhttps://git\-secret\.io/git\-secret\fR for information using \fBSECRETS_PINENTRY\fR\.
.
.SH"OPTIONS"
.
@ -31,7 +37,7 @@ Note also that this command can be affected by the \fBSECRETS_PINENTRY\fR enviro
.fi
.
.SH"MANUAL"
Run \fBman git\-secret\-changes\fR to see this note\.
Run \fBman git\-secret\-changes\fR to see this document\.
\fBgit\-secret\-clean\fR\- removes all the hidden files\.
@ -15,7 +15,19 @@ git secret clean [\-v]
.fi
.
.SH"DESCRIPTION"
\fBgit\-secret\-clean\fR deletes all the encrypted files\. Verbose output is enabled with the \fB\-v\fR option, in which case the program prints which files are deleted\.
\fBgit\-secret\-clean\fR deletes all files in the current \fBgit\-secret\fR repo that end with \fB\.secret\fR\.
.
.P
Note that it will delete any files ending in \fB\.secret\fR, even if they are not tracked by \fBgit\-secret\fR\.
.
.P
Also note that this command does not delete unencrypted versions of files\.
.
.P
Verbose mode, enabled with the \fB\-v\fR option, displays the filenames deleted\.
.
.P
You can change the extension \fBgit\-secret\fR uses for encrypted files with the \fBSECRETS_EXTENSION\fR environment variable\.
.
.SH"OPTIONS"
.
@ -30,7 +42,7 @@ git secret clean [\-v]
You can also enable verbosity using the SECRETS_VERBOSE environment variable, as documented at git\-secret(7) \fIhttps://git\-secret\.io/\fR
.
.SH"MANUAL"
Run \fBman git\-secret\-clean\fR to see this note\.
Run \fBman git\-secret\-clean\fR to see this document\.
\fBgit\-secret\-hide\fRcreates an encrypted version (typically called \fBfilename\.txt\.secret\fR) of each file added by \fBgit\-secret\-add\fR command\. Now anyone enabled via \fBgit secret tell\fR can can decrypt these files\. Under the hood, \fBgit\-secret\fR uses the keyring in \fB\.gitsecret/keys\fR and user\'s secret keys to decrypt the files\.
\fBgit\-secret\-hide\fR\- writes an encrypted version (typically called \fBfilename\.txt\.secret\fR) of each file added by \fBgit\-secret\-add\fR command\.
.
.P
It is recommended to encrypt (or re\-encrypt) all the files in a \fBgit\-secret\fR repo each time \fBgit secret hide\fR is run\.
Then anyone enabled via \fBgit secret tell\fR can decrypt these files\.
.
.P
Under the hood, \fBgit\-secret\fR uses the keyring of public keys in \fB\.gitsecret/keys\fR to \fIencrypt\fR files\. Later a permitted user can use their secret key (typically from their home directory) to \fIdecrypt\fR files\.
.
.P
Otherwise the keychain (the one stored in \fB\.gitsecret/keys/*\.gpg\fR), may have changed since the last time the files were encrypted, and it\'s possible to create a state where the users in the output of \fBgit secret whoknows\fR may not be able to decrypt the some files in the repo, or may be able decrypt files they\'re not supposed to be able to\.
It is recommended to encrypt (or re\-encrypt) all the files in a \fBgit\-secret\fR repo each time \fBgit secret hide\fR is run\.
.
.br
Otherwise the keyring (the one stored in \fB\.gitsecret/keys/*\.gpg\fR), may have changed since the last time the files were encrypted, and it\'s possible to create a state where the users in the output of \fBgit secret whoknows\fR may not be able to decrypt the some files in the repo, or may be able decrypt files they\'re not supposed to be able to\.
.
.P
In other words, unless you re\-encrypt all the files in a repo each time you \fBhide\fR any, it\'s possible to make it so some files can no longer be decrypted by users who should be (and would appear) able to decrypt them, and vice\-versa\.
@ -66,7 +72,7 @@ If you know what you are doing and wish to encrypt or re\-encrypt only a subset
.IP""0
.
.SH"MANUAL"
Run \fBman git\-secret\-hide\fR to see this note\.
Run \fBman git\-secret\-hide\fR to see this document\.
\fBgit\-secret\-init\fR should be run inside a \fBgit\fR repo to set up the \.gitsecret directory and initialize the repo for git\-secret\. Until repository is initialized with \fBgit secret init\fR, all other \fBgit\-secret\fR commands are unavailable\.
\fBgit\-secret\-init\fR\- initializes a \fBgit\-secret\fR repo by setting up a \fB\.gitsecret\fR directory\.
.
.P
\fBgit\-secret\-init\fR should be run inside a \fBgit\fR repo, to create the \fB\.gitsecret\fR directory and initialize the repo for git\-secret\. Until a repository is initialized with \fBgit secret init\fR, all other \fBgit\-secret\fR commands are unavailable\.
.
.P
If a \fB\.gitsecret\fR directory already exists, \fBgit\-secret\-init\fR exits without making any changes\. Otherwise,
@ -27,12 +30,12 @@ If a \fB\.gitsecret\fR directory already exists, \fBgit\-secret\-init\fR exits w
a \.gitsecret directory is created with the sub\-directories /keys and /paths,
.
.IP"\(bu"4
The \fB\.gitsecret/keys\fR subdirectory permissions are set to 700 to make gnupg happy\.
The \fB\.gitsecret/keys\fR subdirectory permission is set to 700 to make gnupg happy\.
.
.IP""0
.
.P
(See git\-secret(7) \fIhttps://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder with the \fBSECRETS_DIR\fR environment variable, and changing the extension \fBgit\-secret\fR uses for secret files with the \fBSECRETS_EXTENSION\fR environment variable\.
See git\-secret(7) \fIhttps://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder with the \fBSECRETS_DIR\fR environment variable, and changing the extension \fBgit\-secret\fR uses for secret files with the \fBSECRETS_EXTENSION\fR environment variable\.
.
.SH"OPTIONS"
.
@ -43,7 +46,7 @@ The \fB\.gitsecret/keys\fR subdirectory permissions are set to 700 to make gnupg
.fi
.
.SH"MANUAL"
Run \fBman git\-secret\-init\fR to see this note\.
Run \fBman git\-secret\-init\fR to see this document\.
\fBgit\-secret\-list\fR\- prints all the added files\.
@ -15,7 +15,10 @@ git secret list
.fi
.
.SH"DESCRIPTION"
\fBgit\-secret\-list\fR prints all the currently added tracked files from the \fB\.gitsecret/paths/mapping\.cfg\fR\.
\fBgit\-secret\-list\fR\- print the files currently considered secret in this repo\.
.
.P
Shows tracked files from \fB\.gitsecret/paths/mapping\.cfg\fR\.
.
.P
(See git\-secret(7) \fIhttps://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the \fBSECRETS_DIR\fR environment variable\.
@ -29,7 +32,7 @@ git secret list
.fi
.
.SH"MANUAL"
Run \fBman git\-secret\-list\fR to see this note\.
Run \fBman git\-secret\-list\fR to see this document\.
\fBgit\-secret\-remove\fR deletes files from \fB\.gitsecret/paths/mapping\.cfg\fR, so they won\'t be encrypted or decrypted in the future\. There\'s also a \-c option to delete existing encrypted versions of the files provided\.
\fBgit\-secret\-remove\fR\- stops files from being tracked by \fBgit\-secret\fR\.
.
.P
This deletes filenames from \fB\.gitsecret/paths/mapping\.cfg\fR, which stops these files from being tracked by \fBgit\-secret\fR, and from being encrypted to, or decrypted from, \fB\.secret\fR encrypted versions\.
.
.P
There\'s also a \-c option to delete existing encrypted versions of the files provided\.
.
.P
Note unlike \fBadd\fR, which automatically add pathnames to \fB\.gitignore\fR, \fBremove\fR does not delete pathnames from \fB\.gitignore\fR\.
.
.P
(See git\-secret(7) \fIhttps://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder using the \fBSECRETS_DIR\fR environment variable\.
This command removes the keys associated with the selected email addresses from the keyring\. If you remove a keypair\'s access with \fBgit\-secret\-removeperson\fR, and run \fBgit\-secret\-reveal\fR and \fBgit\-secret\-hide \-r\fR, it will be impossible for given users to decrypt the hidden files\.
\fBgit\-secret\-removeperson\fR\- removes public keys for passed email addresses from repo\'s \fBgit\-secret\fR keyring\.
.
.P
This command is used to begin the process of disallowing a user from encrypting and decrypting secrets with \fBgit\-secret\fR\.
.
.P
If you remove a user\'s access with \fBgit\-secret\-removeperson\fR, and then run \fBgit\-secret\-reveal\fR and \fBgit\-secret\-hide \-r\fR, that user will no longer be able user to decrypt the hidden files\.
.
.SH"OPTIONS"
.
@ -26,7 +32,7 @@ This command removes the keys associated with the selected email addresses from
.fi
.
.SH"MANUAL"
Run \fBman git\-secret\-removeperson\fR to see this note\.
Run \fBman git\-secret\-removeperson\fR to see this document\.
\fBgit\-secret\-reveal\fR\- decrypts all the files in \fB\.gitsecret/paths/mapping\.cfg\fR, or the passed \fBpathspec\fRs\. You will need to have imported the paired secret\-key with one of the public\-keys which were used in the encryption\. Under the hood, this uses the \fBgpg \-\-decrypt\fR command\.
\fBgit\-secret\-reveal\fR\- decrypts passed files, or all files considered secret by \fBgit\-secret\fR
.
.P
Under the hood, \fBreveal\fR uses the \fBgpg \-\-decrypt\fR command and your private key (typically from your personal keyring in your home directory) to \fIdecrypt\fR files\.
.
.P
Therefore, for this operation to succeed, your personal keyring must contain a private key matching one of the public keys which were used to encrypt the secrets \-\- i\.e\., one of the public keys in \fBgit\-secret\fR repo\'s keyring when the file was encrypted\.
\fBgit\-secret tell\fRreceives one or more email addresses as an input, searches for the \fBgpg\fR\-key in the \fBgpg\fR\fBhomedir\fR by these emails, then imports the corresponding public key into \fBgit\-secret\fR\'s inner keychain\. From this moment this person can encrypt new files with the keyring which contains their key, but they cannot decrypt the old files, which were already encrypted without their key\. The files should be re\-encrypted with the new keyring by someone who has the unencrypted files\.
\fBgit\-secret tell\fR\- adds user(s) to the list of those able to encypt/decrypt secrets\.
.
.P
Because \fBgit\-secret tell\fR works with only email addresses, it will exit with an error if you have multiple keys in your keychain with specified email addresses, or if one of the specified emails is already associated with a key in the \fBgit\-secret\fR keychain\.
This lets the specified user encrypt new files, but will not immediately be able to decrypt existing files, which were encrypted without their key\. Files should be re\-encrypted with the new keyring by someone who already has access in order for the new user to be able to decrypt the files\.
.
.P
Versions of \fBgit\-secret tell\fR after \fB0\.3\.2\fR will warn about keys that are expired, revoked, or otherwise invalid, and also if multiple keys are found for a single email address\.
\fBgit\-secret tell\fR works only with email addresses, and will exit with an error if you have multiple keys in your keyring with specified email addresses, or if one of the specified emails is already associated with a key in the \fBgit\-secret\fR repo\'s keyring\.
.
.P
Under the hood, \fBgit\-secret\-tell\fR searches in the current user\'s \fBgnupg\fR keyring for public key(s) of passed email(s), then imports the corresponding public key(s) into your \fBgit\-secret\fR repo\'s keyring\.
.
.P
Versions of \fBgit\-secret tell\fR after \fB0\.3\.2\fR will warn about keys that are expired, revoked, or otherwise invalid\. It will also warn if multiple keys are found for a single email address\.
.
.P
\fBDo not manually import secret keys into \fBgit\-secret\fR\fR\. It won\'t work with imported secret keys anyway\.
.
.P
For more details about how \fBgit\-secret\fR uses public and private keys, see the documentation for \fBgit\-secret\-hide\fR and \fBgit\-secret\-reveal\fR\.
.
.SH"OPTIONS"
.
.nf
\-m \-takes your current `git config user\.email` as an identifier for the key\.
\-d \- specifies `\-\-homedir` option for the `gpg`, basically use this option if your store your keys in a custom location\.
\-m \-uses your current `git config user\.email` setting as an identifier for the key\.
\-d \- specifies `\-\-homedir` option for `gpg`, basically use this option if your store your keys in a custom location\.
\-h \- shows help\.
.
.fi
.
.SH"MANUAL"
Run \fBman git\-secret\-tell\fR to see this note\.
Run \fBman git\-secret\-tell\fR to see this document\.
\fBgit\-secret\fR\- bash tool to store private data inside a git repo\.
.
.SH"Usage: Setting up git\-secret in a repository"
These steps cover the basic process of using \fBgit\-secret\fR:
These steps cover the basic process of using \fBgit\-secret\fR to specify users and files that will interact with \fBgit\-secret\fR, and to encrypt and decrypt secrets\.
.
.IP"1."4
Before starting, \fImake sure you have created a \fBgpg\fR RSA key\-pair\fR: a public and a secret key identified by your email address\.
Before starting, \fImake sure you have created a \fBgpg\fR RSA key\-pair\fR: which are a public key and a secret key pair, identified by your email address and stored with your gpg configuration\. Generally this gpg configuration and keys will be stored somewhere in your home directory\.
.
.IP"2."4
Begin with an existing or new git repository\. You\'ll use the \fBgit\-secret\fR commands to add the keyrings and information to make \fBgit\-secret\fR hide and reveal files in this repository\.
Begin with an existing or new git repository\.
.
.IP"3."4
Initialize the \fBgit\-secret\fR repository by running \fBgit secret init\fR command\. The \fB\.gitsecret/\fR folder will be created\.\fBNote\fR all the contents of the \fB\.gitsecret/\fR folder should be checked in, \fB/except/\fR the \fBrandom_seed\fR file\. In other words, of all the files in \fB\.gitsecret/\fR, only the \fBrandom_seed\fR file should be mentioned in your \fB\.gitignore\fR file\. By default, \fBgit secret init\fR will add the file \fB\.gitsecret/keys/random_seed\fR to your \fB\.gitignore\fR file\.
Initialize the \fBgit\-secret\fR repository by running \fBgit secret init\fR\. The \fB\.gitsecret/\fR folder will be created, with subdirectories \fBkeys/\fR and \fBpaths/\fR, \fB\.gitsecret/keys/random_seed\fR will be added to \fB\.gitignore\fR, and \fB\.gitignore\fR will be configured to \fInot\fR ignore \fB\.secret\fR files\.
.
.IP"4."4
Add the first user to the \fBgit\-secret\fR repo keyring by running \fBgit secret tell your@gpg\.email\fR\.
.IP""0
.
.IP"5."4
Now it\'s time to add files you wish to encrypt inside the \fBgit\-secret\fR repository\. This can be done by running \fBgit secret add <filenames\.\.\.>\fR command\. Make sure these files are ignored by mentions in \fB\.gitignore\fR, otherwise \fBgit\-secret\fR won\'t allow you to add them, as these files could be stored unencrypted\. In the default configuration, \fBgit\-secret add\fR will automatically add the unencrypted versions of the files to \fB\.gitignore\fR for you\.
.P
\fBNote\fR all the contents of the \fB\.gitsecret/\fR folder should be checked in, \fB/except/\fR the \fBrandom_seed\fR file\. In other words, of all the files in \fB\.gitsecret/\fR, only the \fBrandom_seed\fR file should be mentioned in your \fB\.gitignore\fR file\.
.
.IP"1."4
Add the first user to the \fBgit\-secret\fR repo keyring by running \fBgit secret tell your@email\.id\fR\.
.
.IP"2."4
Now it\'s time to add files you wish to encrypt inside the \fBgit\-secret\fR repository\. This can be done by running \fBgit secret add <filenames\.\.\.>\fR command, which will also (as of 0\.2\.6) add entries to \fB\.gitignore\fR, stopping those files from being be added or committed to the repo unencrypted\.
.
.IP"3."4
Then run \fBgit secret hide\fR to encrypt the files you added with \fBgit secret add\fR\. The files will be encrypted with the public keys in your git\-secret repo\'s keyring, each corresponding to a user\'s email that you used with \fBtell\fR\.
.
.IP"6."4
When done, run \fBgit secret hide\fR to encrypt all files which you have added by the \fBgit secret add\fR command\. The data will be encrypted with the public\-keys described by the \fBgit secret tell\fR command\. After using \fBgit secret hide\fR to encrypt your data, it is safe to commit your changes\.\fBNOTE:\fR It\'s recommended to add the \fBgit secret hide\fR command to your \fBpre\-commit\fR hook, so you won\'t miss any changes\.
.IP""0
.
.IP"7."4
Later you can decrypt files with the \fBgit secret reveal\fR command, or just print their contents to stdout with the \fBgit secret cat\fR command\. If you used a password on your GPG key (always recommended), it will ask you for your password\. And you\'re done!
.P
After using \fBgit secret hide\fR to encrypt your data, it is safe to commit your changes\.\fBNOTE:\fR It\'s recommended to add the \fBgit secret hide\fR command to your \fBpre\-commit\fR hook, so you won\'t miss any changes\.
.
.IP"1."4
Later you can decrypt files with the \fBgit secret reveal\fR command, or print their contents to stdout with the \fBgit secret cat\fR command\. If you used a password on your GPG key (always recommended), it will ask you for your password\. And you\'re done!
.
.IP""0
.
@ -44,7 +54,7 @@ Import this key into your \fBgpg\fR keyring (in \fB~/\.gnupg\fR or similar) by r
Now add this person to your secrets repo by running \fBgit secret tell persons@email\.id\fR (this will be the email address associated with their public key)
.
.IP"4."4
Now remove the other user\'s public key from your personal keychain with \fBgpg \-\-delete\-keys persons@email\.id\fR
Now remove the other user\'s public key from your personal keyring with \fBgpg \-\-delete\-keys persons@email\.id\fR
.
.IP"5."4
The newly added user cannot yet read the encrypted files\. Now, re\-encrypt the files using \fBgit secret reveal; git secret hide \-d\fR, and then commit and push the newly encrypted files\. (The \-d options deletes the unencrypted file after re\-encrypting it)\. Now the newly added user will be able to decrypt the files in the repo using \fBgit\-secret reveal\fR\.
@ -52,7 +62,10 @@ The newly added user cannot yet read the encrypted files\. Now, re\-encrypt the
.IP""0
.
.P
Note that it is possible to add yourself to the git\-secret repo without being able decrypting existing files\. It will be possible to decrypt them after re\-encrypting them with the new keyring\. If you do not want unexpected keys added, you can configure some server\-side security policy with the \fBpre\-receive\fR hook\.
Note that when you first add a user to a git\-secret repo, they will not be able to decrypt existing files until another user re\-encrypts the files with the new keyring\.
.
.P
If you do not want unexpected keys added, you can configure some server\-side security policy with the \fBpre\-receive\fR hook\.
.
.SS"Using gpg"
You can follow a quick \fBgpg\fR tutorial at devdungeon \fIhttps://www\.devdungeon\.com/content/gpg\-tutorial\fR\. Here are the most useful commands to get started:
@ -178,7 +191,7 @@ The settings available to be changed are:
\fB$SECRETS_VERBOSE\fR\- sets the verbose flag to on for all \fBgit\-secret\fR commands; is identical to using \fB\-v\fR on each command that supports it\.
.
.IP"\(bu"4
\fB$SECRETS_GPG_COMMAND\fR\- sets the \fBgpg\fR alternatives, defaults to \fBgpg\fR\. It can be changed to \fBgpg\fR, \fBgpg2\fR, \fBpgp\fR, \fB/usr/local/gpg\fR or any other value\. After doing so rerun the tests to be sure that it won\'t break anything\. Tested to be working with: \fBgpg\fR,\fBgpg2\fR\.
\fB$SECRETS_GPG_COMMAND\fR\- sets the \fBgpg\fR alternatives, defaults to \fBgpg\fR\. It can be changed to \fBgpg\fR, \fBgpg2\fR, \fBpgp\fR, \fB/usr/local/gpg\fR or any other value\. After doing so rerun the tests to be sure that it won\'t break anything\. Tested with \fBgpg\fR and\fBgpg2\fR\.
.
.IP"\(bu"4
\fB$SECRETS_GPG_ARMOR\fR\- sets the \fBgpg\fR\fB\-\-armor\fR mode \fIhttps://www\.gnupg\.org/gph/en/manual/r1290\.html\fR\. Can be set to \fB1\fR to store secrets file as text\. By default is \fB0\fR and store files as binaries\.
@ -204,10 +217,10 @@ You can change the name of this directory using the SECRETS_DIR environment vari
Use the various \fBgit\-secret\fR commands to manipulate the files in \fB\.gitsecret\fR, you should not change the data in these files directly\.
.
.P
Exactly which files exist in the \fB\.gitsecret\fR folder and what their contents are vary slightly across different versions of gpg\. Thus it is best to use git\-secret with the same version of gpg being used by all users\. This can be forced using \fBSECRETS_GPG_COMMAND\fR environment variable\.
Exactly which files exist in the \fB\.gitsecret\fR folder and what their contents are vary slightly across different versions of gpg, and some versions of gpg might not work well with keyrings created with newer versions of gpg\. Thus it is best to use git\-secret with the same version of gpg being used by all users\. This can be forced by installing matching versions of gpg and using \fBSECRETS_GPG_COMMAND\fR environment variable\.
.
.P
Specifically, there is an issue between \fBgpg\fR version 2\.1\.20 and later versions which can cause problems reading and writing keyring files between systems (this shows up in errors like \'gpg: skipped packet of type 12 in keybox\')\.
For example, there is an issue between \fBgpg\fR version 2\.1\.20 and later versions which can cause problems reading and writing keyring files between systems (this shows up in errors like \'gpg: skipped packet of type 12 in keybox\')\. This is not the only issue it is possible to encounter\.
.
.P
The \fBgit\-secret\fR internal data is separated into two directories:
@ -222,6 +235,9 @@ All the other internal data is stored in the directory:
This directory contains data used by git\-secret and PGP to allow and maintain the correct encryption and access rights for the permitted parties\.
.
.P
In particular, this directory contains a keyring with all the public keys for the emails used with \fBtell\fR\. This is the keyring used to encrypt files with \fBgit\-secret\-hide\fR\.\fBgit\-secret\-reveal\fR and \fBgit\-secret\-cat\fR instead use the user\'s private keys (which probably reside somewhere like ~/\.gnupg/) and which are not in the \fB\.gitsecret/keys\fR directory\.
.
.P
Generally speaking, all the files in this directory \fIexcept\fR\fBrandom_seed\fR should be checked into your repo\. By default, \fBgit secret init\fR will add the file \fB\.gitsecret/keys/random_seed\fR to your \fB\.gitignore\fR file\.
joshr
2 years ago