\fBgit\-secret\-init\fR should be run inside a \fBgit\fR repo to set up the \.gitsecret directory and initialize the repo for git\-secret\. Until repository is initialized with \fBgit secret init\fR, all other \fBgit\-secret\fR commands are unavailable\.
.
.P
If a \fB\.gitsecret\fR directory already exists, \fBgit\-secret\-init\fR exits without making any changes\. Otherwise, a \.gitsecret directory is created with appropriate sub\-directories, and patterns to ignore \fBgit\-secret\fR\'s \fBrandom_seed_file\fR and not ignore \fB\.secret\fR files are added to \fB\.gitignore\fR\.
If a \fB\.gitsecret\fR directory already exists, \fBgit\-secret\-init\fR exits without making any changes\. Otherwise,
.
.IP"\(bu"4
\fB\.gitignore\fR is modified to ignore \fBgit\-secret\fR\'s \fBrandom_seed_file\fR, and to not ignore \fB\.secret\fR files,
.
.IP"\(bu"4
a \.gitsecret directory is created with the sub\-directories /keys and /paths,
.
.IP"\(bu"4
The \fB\.gitsecret/keys\fR subdirectory permissions are set to 700 to make gnupg happy\.
.
.IP""0
.
.P
(See git\-secret(7) \fIhttps://git\-secret\.io/git\-secret\fR for information about renaming the \.gitsecret folder with the \fBSECRETS_DIR\fR environment variable, and changing the extension \fBgit\-secret\fR uses for secret files with the \fBSECRETS_EXTENSION\fR environment variable\.
\fBgit\-secret\fR\- bash tool to store private data inside a git repo\.
@ -41,15 +41,18 @@ Later you can decrypt files with the \fBgit secret reveal\fR command, or just pr
Import this key into your \fBgpg\fR keyring (in \fB~/\.gnupg\fR or similar) by running \fBgpg \-\-import KEY_NAME\.txt\fR
.
.IP"3."4
Now add this person to your secrets repo by running \fBgit secret tell persons@email\.id\fR (this will be the email address associated with the public key)
Now add this person to your secrets repo by running \fBgit secret tell persons@email\.id\fR (this will be the email address associated with their public key)
.
.IP"4."4
Now remove the other user\'s public key from your personal keychain with \fBgpg \-\-delete\-keys persons@email\.id\fR
.
.IP"5."4
The newly added user cannot yet read the encrypted files\. Now, re\-encrypt the files using \fBgit secret reveal; git secret hide \-d\fR, and then commit and push the newly encrypted files\. (The \-d options deletes the unencrypted file after re\-encrypting it)\. Now the newly added user will be able to decrypt the files in the repo using \fBgit\-secret reveal\fR\.
.
.IP""0
.
.P
Note that it is possible to add yourself to the git\-secret repo without decrypting existing files\. It will be possible to decrypt them after re\-encrypting them with the new keyring\.So, if you don\'t want unexpected keys added, you can configure some server\-side security policy with the \fBpre\-receive\fR hook\.
Note that it is possible to add yourself to the git\-secret repo without being able decrypting existing files\. It will be possible to decrypt them after re\-encrypting them with the new keyring\.If you do not want unexpected keys added, you can configure some server\-side security policy with the \fBpre\-receive\fR hook\.
.
.SS"Using gpg"
You can follow a quick \fBgpg\fR tutorial at devdungeon \fIhttps://www\.devdungeon\.com/content/gpg\-tutorial\fR\. Here are the most useful commands to get started:
@ -103,13 +106,13 @@ When using \fBgit\-secret\fR for CI/CD, you get the benefit that any deployment
One way of doing it is the following:
.
.IP"1."4
\fIcreate a gpg key\fR for your CI/CD environment\. You can chose any name and email address you want: for instance \fBMyApp CodeShip <myapp@codeship\.com>\fR if your app is called MyApp and your CI/CD provider is CodeShip\. It is easier not to define a password for that key\.
\fIcreate a gpg key\fR for your CI/CD environment\. You can chose any name and email address you want: for instance \fBMyApp CodeShip <myapp@codeship\.com>\fR if your app is called MyApp and your CI/CD provider is CodeShip\. It is easier not to define a passphrase for that key\. However, if defining a passphrase is unavoidable, use a unique passphrase for the private key\.
.
.IP"2."4
run \fBgpg \-\-armor \-\-export\-secret\-key myapp@codeship\.com\fR to get your private key value
.
.IP"3."4
Create an env var on your CI/CD server \fBGPG_PRIVATE_KEY\fR and assign it the private key value\.
Create an env var on your CI/CD server \fBGPG_PRIVATE_KEY\fR and assign it the private key value\. If a passphrase has been setup for the private key, create another env var on the CI/CD server \fBGPG_PASSPHRASE\fR and assign it the passphrase of the private key\.
.
.IP"4."4
Then write your Continuous Deployment build script\. For instance:
@ -124,11 +127,12 @@ Then write your Continuous Deployment build script\. For instance:
# see: https://git\-secret\.io/installation
# Create private key file
echo $GPG_PRIVATE_KEY > \./private_key\.gpg
# Import private key
gpg \-\-import \./private_key\.gpg
# Reveal secrets
git secret reveal
echo "$GPG_PRIVATE_KEY" > \./private_key\.gpg
# Import private key and avoid the "Inappropriate ioctl for device" error
Also note: the \fBgpg\fR version on the CI/CD server \fBMUST INTEROPERATE\fR with the one used locally\. Otherwise, \fBgpg\fR decryption can fail, which leads to \fBgit secret reveal\fR reporting \fBcannot find decrypted version of file\fR error\. The best way to ensure this is to use the same version of gnupg on different systems\.
.
.SH"Environment Variables and Configuration"
You can configure the version of \fBgpg\fR used, or the extension your encrypted files use, to suit your workflow better\. To do so, just set the required variable to the value you need\. This can be done in your shell environment file or with each \fBgit\-secret\fR command\. See below, or the man page of \fBgit\-secret\fR for an explanation of the environment variables \fBgit\-secret\fR uses\.
Josh Rabinowitz
2 years ago
committed by
GitHub