`git-secret` is a bash tool which stores private data inside a git repo. `git-secret` encrypts tracked files with public keys for all users whom you trust using `gpg`. Therefore, everyone has access to these tracked files using only their personal secret key. With `git-secret` changes to access rights is made easy and private-public key issues are avoided. Passwords do not needed changing with `git-secret` and when someone is out - just delete their public key, re-encrypt the files, and they won’t be able to decrypt secrets anymore.
`git-secret` is a bash tool which stores private data inside a git repo.
`git-secret` encrypts tracked files with public keys for users whom you trust using `gpg`,
allowing permitted users to access encrypted data using their secret keys.
With `git-secret`, changes to access rights are made easy and private-public key issues are handled for you.
Passwords do not need to be changed with `git-secret` when someone's permission is revoked -
just remove their key from the keychain using `git secret killperson their@email.com`,
and re-encrypt the files, and they won't be able to decrypt secrets anymore.
## Preview
@ -35,7 +41,8 @@ See the [installation section](http://git-secret.io/installation) for the detail
## Contributing
Do you want to help the project? Find an [issue](https://github.com/sobolevn/git-secret/issues) and send a PR. It is more than welcomed! See [CONTRIBUTING.md](CONTRIBUTING.md) on how to do that.
Do you want to help the project? Find an [issue](https://github.com/sobolevn/git-secret/issues)
and send a PR. It is more than welcomed! See [CONTRIBUTING.md](CONTRIBUTING.md) on how to do that.
\fBgit\-secret\-add\fR adds a filepath(es) into the \fB\.gitsecret/paths/mapping\.cfg\fR\. When adding files, ensure that they are ignored by \fBgit\fR, since they must be secure and not be commited into the remote repository unencrypted\.
\fBgit\-secret\-add\fR adds a filepath(es) into \fB\.gitsecret/paths/mapping\.cfg\fR\. When adding files to encrypt, ensure that they are ignored by \fBgit\fR by mentioning them in \.gitignore, since they must be secure and not be committed into the remote repository unencrypted\.
.
.P
If there\'s no users in the \fBgit\-secret\fR\'s keyring, when adding a file, an exception will be raised\.
.
.P
It is not recommened to add filenames directly into the \fB\.gitsecret/paths/mapping\.cfg\fR, use the command\.
Use the \fBgit secret add\fR command to add filenames to this file\.
.
.br
It is not recommended to add filenames directly into \fB\.gitsecret/paths/mapping\.cfg\fR\.
.
.SH"OPTIONS"
.
.nf
\-i \- auto adds given files to the `\.gitignore` if they are unignored at the moment\.
\-i \- adds given files to `\.gitignore` if they\'re not there already
`git-secret-add` adds a filepath(es) into the `.gitsecret/paths/mapping.cfg`. When adding files, ensure that they are ignored by `git`, since they must be secure and not be commited into the remote repository unencrypted.
`git-secret-add` adds a filepath(es) into `.gitsecret/paths/mapping.cfg`.
When adding files to encrypt, ensure that they are ignored by `git` by mentioning
them in .gitignore, since they must be secure and not be committed into the remote repository unencrypted.
If there's no users in the `git-secret`'s keyring, when adding a file, an exception will be raised.
It is not recommened to add filenames directly into the `.gitsecret/paths/mapping.cfg`, use the command.
Use the `git secret add` command to add filenames to this file.
It is not recommended to add filenames directly into `.gitsecret/paths/mapping.cfg`.
## OPTIONS
-i - auto adds given files to the `.gitignore` if they are unignored at the moment.
-i - adds given files to `.gitignore` if they're not there already
-h - shows this help.
@ -27,4 +30,5 @@ Run `man git-secret-add` to see this note.
\fBgit\-secret\-cat\fR\- Outputs to stdout the contents of the files named on the command line by running \fBgpg \-\-decrypt\fR\. As with \fBgit\-secret\-reveal\fR, it is important to have the paired secret\-key with one of the public\-keys which were used in the encryption\.
\fBgit\-secret\-cat\fR\- Outputs to stdout the contents of the files named on the command line\. As with \fBgit\-secret\-reveal\fR, you\'ll need to have a public/private keypair that is allowed to decrypt this repo\.
@ -7,7 +7,9 @@ git-secret-cat - decrypts files passed on command line to stdout
## DESCRIPTION
`git-secret-cat` - Outputs to stdout the contents of the files named on the command line by running `gpg --decrypt`. As with `git-secret-reveal`, it is important to have the paired secret-key with one of the public-keys which were used in the encryption.
`git-secret-cat` - Outputs to stdout the contents of the files named on the command line.
As with `git-secret-reveal`, you'll need to have a public/private keypair that is allowed to
\fBgit\-secret\-changes\fR\- shows changes between the current version of hidden files and the ones already commited\. You can provide any number of files to this command as arguments, so it will show changes for these files only\. If no arguments are provided \- information about all files will be shown\.
\fBgit\-secret\-changes\fR\- shows changes between the current version of hidden files and the ones already commited\. You can provide any number of hidden files to this command as arguments, and it will show changes for these files only\. Note that files must be specified by their encrypted names, typically \fBfilename\.yml\.secret\fR\. If no arguments are provided, information about all hidden files will be shown\.
.
.SH"OPTIONS"
.
.nf
\-d \- specifies `\-\-homedir` option for the `gpg`, basically use this option if your store your keys in a custom location\.
\-d \- specifies `\-\-homedir` option for the `gpg`\. Use this option if your store your keys in a custom location\.
\-p \- specifies password for noinput mode, adds `\-\-passphrase` option for `gpg`\.
@ -7,12 +7,15 @@ git-secret-changes - view diff of the hidden files.
## DESCRIPTION
`git-secret-changes` - shows changes between the current version of hidden files and the ones already commited. You can provide any number of files to this command as arguments, so it will show changes for these files only. If no arguments are provided - information about all files will be shown.
`git-secret-changes` - shows changes between the current version of hidden files and the ones already commited.
You can provide any number of hidden files to this command as arguments, and it will show changes for these files only.
Note that files must be specified by their encrypted names, typically `filename.yml.secret`.
If no arguments are provided, information about all hidden files will be shown.
## OPTIONS
-d - specifies `--homedir` option for the `gpg`, basically use this option if your store your keys in a custom location.
-d - specifies `--homedir` option for the `gpg`. Use this option if your store your keys in a custom location.
-p - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
-h - shows help.
@ -24,4 +27,6 @@ Run `man git-secret-changes` to see this note.
\fBgit\-secret\-clean\fR deletes all the encrypted files\.This command can produce a verbose output, printing which files are deleted\.
\fBgit\-secret\-clean\fR deletes all the encrypted files\.Verbose output is enabled with the \-v option, in which case the program prints which files are deleted\.
\fBgit\-secret\-hide\fR creates an encrypted version for each file added by \fBgit\-secret\-add\fR command\. Now anyone from the \fBgit\-secret\fR\'s keyring can decrypt these files using their secret key\.
\fBgit\-secret\-hide\fR creates an encrypted version (typically called filename\.txt\.secret) for each file added by \fBgit\-secret\-add\fR command\. Now anyone enabled via \'git secret tell\' can can decrypt these files\. Under the hood, \fBgit\-secret\fR uses the keyring in \.gitsecret/keys and their secret key to decrypt the files\.
.
.P
It is possible to modify the names of the encrypted files by setting \fBSECRETS_EXTENSION\fR variable\.
@ -36,4 +36,7 @@ It is possible to modify the names of the encrypted files by setting \fBSECRETS_
Run \fBman git\-secret\-hide\fR to see this note\.
@ -7,7 +7,10 @@ git-secret-hide - encrypts all added files with the inner keyring.
## DESCRIPTION
`git-secret-hide` creates an encrypted version for each file added by `git-secret-add` command. Now anyone from the `git-secret`'s keyring can decrypt these files using their secret key.
`git-secret-hide` creates an encrypted version (typically called filename.txt.secret)
for each file added by `git-secret-add` command.
Now anyone enabled via 'git secret tell' can can decrypt these files. Under the hood,
`git-secret` uses the keyring in .gitsecret/keys and their secret key to decrypt the files.
It is possible to modify the names of the encrypted files by setting `SECRETS_EXTENSION` variable.
@ -28,4 +31,6 @@ Run `man git-secret-hide` to see this note.
\fBgit\-secret\-init\fR should be run inside a \fBgit\fR repo\.\fBgit\-secret\-init\fR is the first command to be run, until the git\-secret repository is inited other commands are unavailable\.
\fBgit\-secret\-init\fR should be run inside a \fBgit\fR repo to set up the \.gitsecret directory and initialize the repo for git\-secret\. Until repository is initialized with \fBgit secret init\fR, all other \fBgit\-secret\fR commands are unavailable\.
`git-secret-init` should be run inside a `git` repo. `git-secret-init` is the first command to be run, until the git-secret repository is inited other commands are unavailable.
`git-secret-init` should be run inside a `git` repo to set up the .gitsecret directory and initialize the repo for git-secret.
Until repository is initialized with `git secret init`, all other `git-secret` commands are unavailable.
This command removes selected email addresses from the keyring\.\fBgit\-secret\-killperson\fR makes it impossible for given users to decrypt the hidden files in the future\. It is required to run \fBgit\-secret\-hide\fR once again with the updated keyring to renew the encryption\.
This command removes the keys associated with the selected email addresses from the keyring\.If you remove a keypair\'s access with \fBgit\-secret\-killperson\fR, and run \fBgit\-secret\-reveal\fR and \fBgit\-secret\-hide \-r\fR, it will be impossible for given users to decrypt the hidden files\.
@ -7,7 +7,9 @@ git-secret-killperson - deletes key identified by an email from the inner keyrin
## DESCRIPTION
This command removes selected email addresses from the keyring. `git-secret-killperson` makes it impossible for given users to decrypt the hidden files in the future. It is required to run `git-secret-hide` once again with the updated keyring to renew the encryption.
This command removes the keys associated with the selected email addresses from the keyring.
If you remove a keypair's access with `git-secret-killperson`, and run `git-secret-reveal` and `git-secret-hide -r`,
it will be impossible for given users to decrypt the hidden files.
## OPTIONS
@ -22,4 +24,5 @@ Run `man git-secret-killperson` to see this note.
\fBgit\-secret\-remove\fR deletes files from \fB\.gitsecret/paths/mapping\.cfg\fR, so they won\'t be encrypted or decrypted in the future\. There\'s also an option to delete existing encrypted versions of the files provided\.
\fBgit\-secret\-remove\fR deletes files from \fB\.gitsecret/paths/mapping\.cfg\fR, so they won\'t be encrypted or decrypted in the future\. There\'s also a\-c option to delete existing encrypted versions of the files provided\.
@ -7,7 +7,9 @@ git-secret-remove - removes files from index.
## DESCRIPTION
`git-secret-remove` deletes files from `.gitsecret/paths/mapping.cfg`, so they won't be encrypted or decrypted in the future. There's also an option to delete existing encrypted versions of the files provided.
`git-secret-remove` deletes files from `.gitsecret/paths/mapping.cfg`,
so they won't be encrypted or decrypted in the future.
There's also a -c option to delete existing encrypted versions of the files provided.
## OPTIONS
@ -23,4 +25,5 @@ Run `man git-secret-remove` to see this note.
\fBgit\-secret\-reveal\fR\- decrypts all the files in the \fB\.gitsecret/paths/mapping\.cfg\fR by running a \fBgpg \-\-decrypt\fR command\. It is important to have the paired secret\-key with one of the public\-keys which were used in the encryption\.
\fBgit\-secret\-reveal\fR\- decrypts all the files in \fB\.gitsecret/paths/mapping\.cfg\fR\. You will need to have imported the paired secret\-key with one of the public\-keys which were used in the encryption\. Under the hood, this uses the \fBgpg \-\-decrypt\fR command\.
@ -7,7 +7,10 @@ git-secret-reveal - decrypts all added files.
## DESCRIPTION
`git-secret-reveal` - decrypts all the files in the `.gitsecret/paths/mapping.cfg` by running a `gpg --decrypt` command. It is important to have the paired secret-key with one of the public-keys which were used in the encryption.
`git-secret-reveal` - decrypts all the files in `.gitsecret/paths/mapping.cfg`.
You will need to have imported the paired secret-key with one of the
public-keys which were used in the encryption.
Under the hood, this uses the `gpg --decrypt` command.
## OPTIONS
@ -25,4 +28,6 @@ Run `man git-secret-reveal` to see this note.
@ -7,7 +7,11 @@ git-secret-tell - adds a person, who can access private data.
## DESCRIPTION
`git-secret-tell` receives an email addresses as an input, searches for the `gpg`-key in the `gpg`'s `homedir` by these emails, then imports a person's public key into the `git-secret`'s inner keychain. From this moment this person can encrypt new files with the keyring which contains their key. But they cannot decrypt the old files, which were already encrypted without their key. They should be reencrypted with the new keyring by someone, who has the unencrypted files.
`git-secret-tell` receives an email addresses as an input, searches for the `gpg`-key in the `gpg`'s
`homedir` by these emails, then imports a person's public key into the `git-secret`'s inner keychain.
From this moment this person can encrypt new files with the keyring which contains their key.
But they cannot decrypt the old files, which were already encrypted without their key.
They should be reencrypted with the new keyring by someone, who has the unencrypted files.
**Do not manually import secret key into `git-secret`**. Anyways, it won't work with any of the secret-keys imported.
@ -26,4 +30,6 @@ Run `man git-secret-tell` to see this note.
@ -13,19 +13,25 @@ These steps cover the basic process of using \fBgit\-secret\fR:
Before starting, make sure you have created \fBgpg\fR RSA key\-pair: public and secret key identified by your email address\.
.
.IP"2."4
Initialize \fBgit\-secret\fR repository by running \fBgit secret init\fR command\.\fB\.gitsecret/\fR folder will be created, \fBnote\fR that \fB\.gitsecret/\fR folder should \fBnot\fR be ignored \fIhttps://github\.com/sobolevn/git\-secret/issues/39\fR\.
Begin with an existing or new git repository\. You\'ll use the \'git secret\' commands to add the keyrings and information to make the git\-secret hide and reveal files in this repository\.
.
.IP"3."4
Add first user to the system by running \fBgit secret tell your@gpg\.email\fR\.
Initialize the \fBgit\-secret\fR repository by running \fBgit secret init\fR command\. the \fB\.gitsecret/\fR folder will be created, \fBNote\fR all the contents of the \fB\.gitsecret/\fR folder should be checked in, /except/ the \fBrandom_seed\fR file\. In other words, of the files in \.gitsecret, only the random_seed file should be mentioned in your \.gitignore file\.
.
.IP"4."4
Now it\'s time to add files you wish to encrypt inside the \fBgit\-secret\fR repository\. It can be done by running \fBgit secret add <filenames\.\.\.>\fR command\. Make sure these files are ignored, otherwise \fBgit\-secret\fR won\'t allow you to add them, as these files will be stored unencrypted\.
Add the first user to the git\-secret repo keyring by running \fBgit secret tell your@gpg\.email\fR\.
.
.IP"5."4
When done, run \fBgit secret hide\fR all files, which you have added by \fBgit secret add\fR command will be encrypted with added public\-keys by the \fBgit secret tell\fR command\. Now it is safe to commit your changes\.\fBBut\fR\. It\'s recommended to add \fBgit secret hide\fR command to your \fBpre\-commit\fR hook, so you won\'t miss any changes\.
Now it\'s time to add files you wish to encrypt inside the \fBgit\-secret\fR repository\. It can be done by running \fBgit secret add <filenames\.\.\.>\fR command\. Make sure these files are ignored by mentions in \.gitignore, otherwise \fBgit\-secret\fR won\'t allow you to add them, as these files could be stored unencrypted\.
.
.IP"6."4
Now decrypt files with \fBgit secret reveal\fR command\. It will ask you for your password\. And you\'re done!
When done, run \fBgit secret hide\fR to encrypt all files which you have added by the \fBgit secret add\fR command\.
.
.br
The data will be encrypted with the public\-keys described by the \fBgit secret tell\fR command\. After using \fBgit secret hide\fR to encrypt your data, it is safe to commit your changes\.\fBNOTE:\fR\. It\'s recommended to add \fBgit secret hide\fR command to your \fBpre\-commit\fR hook, so you won\'t miss any changes\.
.
.IP"7."4
Later you can decrypt files with the \fBgit secret reveal\fR command, or just show their contents to stdout with the \fBgit secret cat\fR command\. If you used a password on your GPG key (always recommended), it will ask you for your password\. And you\'re done!
.
.IP""0
.
@ -35,24 +41,24 @@ Now decrypt files with \fBgit secret reveal\fR command\. It will ask you for you
Get their \fBgpg\fR public\-key\.\fBYou won\'t need their secret key\.\fR
.
.IP"2."4
Import this key inside your \fBgpg\fR by running \fBgpg \-\-import KEY_NAME\fR
Import this key into your \fBgpg\fR setup (in ~/\.gnupg or similar) by running \fBgpg \-\-import KEY_NAME\.txt\fR
.
.IP"3."4
Now add this person to the \fBgit\-secret\fR by running \fBgit secret tell persons@email\.id\fR
Now add this person to your secrets repo by running \fBgit secret tell persons@email\.id\fR (this will be the email address assocated with the public key)
.
.IP"4."4
Reencypt the files, now they will be able to decrypt them with their secret key\.
The newly added user cannot yet read the encrypted files\. Now, re\-encrypt the files using \fBgit secret reveal; git secret hide \-d\fR, and then commit and push the newly encrypted files\. (The \-d options deletes the unencrypted file after re\-encrypting it)\. Now the newly added user be able to decrypt the files in the repo using \fBgit\-secret\fR\.
.
.IP""0
.
.P
Note, that it is possible to add yourself to the system without decrypting existing files\. It will be possible to decrypt them after reencrypting them with the new keyring\. So, if you don\'t want unexpected keys added, make sure to configure some server\-side security policy with the \fBpre\-receive\fR hook\.
Note that it is possible to add yourself to the git\-secret repo without decrypting existing files\. It will be possible to decrypt them after reencrypting them with the new keyring\. So, if you don\'t want unexpected keys added, you can configure some server\-side security policy with the \fBpre\-receive\fR hook\.
.
.SH"Configuration"
You can configure several things to suit your workflow better\. To do so, just set the required variable to the value you need\. This can be done in your shell environment file or with the each \fBgit\-secret\fR command\.
You can configure the version of gpg used, or the extension your encrypted files use, to suit your workflow better\. To do so, just set the required variable to the value you need\. This can be done in your shell environment file or with each \fBgit\-secret\fR command\.
.
.P
These settings are available to be changed:
The settings available to be changed are:
.
.IP"\(bu"4
\fB$SECRETS_GPG_COMMAND\fR\- sets the \fBgpg\fR alternatives, defaults to \fBgpg\fR\. It can be changed to \fBgpg\fR, \fBgpg2\fR, \fBpgp\fR, \fB/usr/local/gpg\fR or any other value\. After doing so rerun the tests to be sure that it won\'t break anything\. Tested to be working with: \fBgpg\fR, \fBgpg2\fR\.
@ -62,18 +68,23 @@ These settings are available to be changed:
.
.IP""0
.
.SH"Internals"
.SH"Internals \-\- the <code>\.gitsecret</code> folder"
This folder contains all the information about the data encrypted in this repo, and about which public/private key sets can access the encrypted data\. Use the various \'git secret\' commands to manipulate the files in \fB\.gitsecret\fR, you should not change the data in these files directly\.
.
.SS "<code>\.gitsecret</code> folder"
This folder contains every piece of information about the project\. It stores:
.P
The git\-secret internal data is separated into two directories:
.
.IP "\(bu"4
public keys for the project
.SS "<code>\.gitsecret/paths</code>"
This directory currently contains only the file \fBmapping\.cfg\fR, which lists all the files your storing encrypted\. In other words, the path mappings: what files are tracked to be hidden and revealed\.
.
.IP"\(bu"4
path mappings\. Or in other words: what files are tracked to be hidden and revealed
.P
All the other internal data is stored in the directory:
.
.IP""0
.SS"<code>\.gitsecret/keys</code>"
This directory contains data used by git\-secret and PGP to allow and maintain the correct encyption and access rights for the permitted parties\.
.
.P
This folder should not be ignored\. In case it is application would not work raising an error: \fB\'\.gitsecret/\' is ignored\. abort\.\'\fR\. However, it is possible to ignore individual files \fIhttps://github\.com/sobolevn/git\-secret/issues/93\fR inside it: \fBrandom_seed\fR would be the most popular example\.
Generally speaking, all the files in this directory \fIexcept\fR\fBrandom_seed\fR should be checked into your repo\.
.
.br
By default, \fBgit secret init\fR will add the file \fB\.gitsecret/keys/random_seed\fR to your \.gitignore file\.
These steps cover the basic process of using `git-secret`:
0. Before starting, make sure you have created `gpg` RSA key-pair: public and secret key identified by your email address.
1. Initialize `git-secret` repository by running `git secret init` command. `.gitsecret/` folder will be created, **note** that `.gitsecret/` folder [should **not** be ignored](https://github.com/sobolevn/git-secret/issues/39).
2. Add first user to the system by running `git secret tell your@gpg.email`.
3. Now it's time to add files you wish to encrypt inside the `git-secret` repository. It can be done by running `git secret add <filenames...>` command. Make sure these files are ignored, otherwise `git-secret` won't allow you to add them, as these files will be stored unencrypted.
4. When done, run `git secret hide` all files, which you have added by `git secret add` command will be encrypted with added public-keys by the `git secret tell` command. Now it is safe to commit your changes. **But**. It's recommended to add `git secret hide` command to your `pre-commit` hook, so you won't miss any changes.
5. Now decrypt files with `git secret reveal` command. It will ask you for your password. And you're done!
1. Begin with an existing or new git repository. You'll use the 'git secret' commands to add the keyrings and information
to make the git-secret hide and reveal files in this repository.
2. Initialize the `git-secret` repository by running `git secret init` command. the `.gitsecret/` folder will be created,
**Note** all the contents of the `.gitsecret/` folder should be checked in, /except/ the `random_seed` file.
In other words, of the files in .gitsecret, only the random_seed file should be mentioned in your .gitignore file.
3. Add the first user to the git-secret repo keyring by running `git secret tell your@gpg.email`.
4. Now it's time to add files you wish to encrypt inside the `git-secret` repository.
It can be done by running `git secret add <filenames...>` command. Make sure these files are ignored by mentions in
.gitignore, otherwise `git-secret` won't allow you to add them, as these files could be stored unencrypted.
5. When done, run `git secret hide` to encrypt all files which you have added by the `git secret add` command.
The data will be encrypted with the public-keys described by the `git secret tell` command.
After using `git secret hide` to encrypt your data, it is safe to commit your changes.
**NOTE:**. It's recommended to add `git secret hide` command to your `pre-commit` hook, so you won't miss any changes.
6. Later you can decrypt files with the `git secret reveal` command, or just show their contents to stdout with the
`git secret cat` command. If you used a password on your GPG key (always recommended), it will ask you for your password.
And you're done!
### I want to add someone to the repository
1. Get their `gpg` public-key. **You won't need their secret key.**
2. Import this key inside your `gpg` by running `gpg --import KEY_NAME`
3. Now add this person to the `git-secret` by running `git secret tell persons@email.id`
4. Reencypt the files, now they will be able to decrypt them with their secret key.
2. Import this key into your `gpg` setup (in ~/.gnupg or similar) by running `gpg --import KEY_NAME.txt`
3. Now add this person to your secrets repo by running `git secret tell persons@email.id`
(this will be the email address assocated with the public key)
4. The newly added user cannot yet read the encrypted files. Now, re-encrypt the files using
`git secret reveal; git secret hide -d`, and then commit and push the newly encrypted files.
(The -d options deletes the unencrypted file after re-encrypting it).
Now the newly added user be able to decrypt the files in the repo using `git-secret`.
Note, that it is possible to add yourself to the system without decrypting existing files. It will be possible to decrypt them after reencrypting them with the new keyring. So, if you don't want unexpected keys added, make sure to configure some server-side security policy with the `pre-receive` hook.
Note that it is possible to add yourself to the git-secret repo without decrypting existing files.
It will be possible to decrypt them after reencrypting them with the new keyring. So, if you don't
want unexpected keys added, you can configure some server-side security policy with the `pre-receive` hook.
## Configuration
You can configure several things to suit your workflow better. To do so, just set the required variable to the value you need. This can be done in your shell environment file or with the each `git-secret` command.
You can configure the version of gpg used, or the extension your encrypted files use, to suit your workflow better.
To do so, just set the required variable to the value you need.
This can be done in your shell environment file or with each `git-secret` command.
These settings are available to be changed:
The settings available to be changed are:
* `$SECRETS_GPG_COMMAND` - sets the `gpg` alternatives, defaults to `gpg`.
It can be changed to `gpg`, `gpg2`, `pgp`, `/usr/local/gpg` or any other value.
After doing so rerun the tests to be sure that it won't break anything. Tested to be working with: `gpg`, `gpg2`.
* `$SECRETS_GPG_COMMAND` - sets the `gpg` alternatives, defaults to `gpg`. It can be changed to `gpg`, `gpg2`, `pgp`, `/usr/local/gpg` or any other value. After doing so rerun the tests to be sure that it won't break anything. Tested to be working with: `gpg`, `gpg2`.
* `$SECRETS_EXTENSION` - sets the secret files extension, defaults to `.secret`. It can be changed to any valid file extension.
## Internals
## Internals -- the `.gitsecret` folder
This folder contains all the information about the data encrypted in this repo,
and about which public/private key sets can access the encrypted data.
Use the various 'git secret' commands to manipulate the files in `.gitsecret`,
you should not change the data in these files directly.
The git-secret internal data is separated into two directories:
### `.gitsecret/paths`
This directory currently contains only the file `mapping.cfg`, which lists all the files your storing encrypted.
In other words, the path mappings: what files are tracked to be hidden and revealed.
### `.gitsecret` folder
All the other internal data is stored in the directory:
This folder contains every piece of information about the project. It stores:
### `.gitsecret/keys`
* public keys for the project
* path mappings. Or in other words: what files are tracked to be hidden and revealed
This directory contains data used by git-secret and PGP to allow and maintain the correct encyption and access rights for the permitted parties.
This folder should not be ignored. In case it is application would not work raising an error: `'.gitsecret/' is ignored. abort.'`. However, it is possible to ignore [individual files](https://github.com/sobolevn/git-secret/issues/93) inside it: `random_seed` would be the most popular example.
Generally speaking, all the files in this directory *except* `random_seed` should be checked into your repo.
By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your .gitignore file.
Josh Rabinowitz
7 years ago
committed by
GitHub