\fBgit\-secret\fR\- bash tool to store private data inside a git repo\.
@ -10,7 +10,7 @@
These steps cover the basic process of using \fBgit\-secret\fR:
.
.IP"1."4
Before starting, make sure you have created \fBgpg\fR RSA key\-pair: public and secret key identified by your email address\.
Before starting, \fImake sure you have created \fBgpg\fR RSA key\-pair\fR: public and secret key identified by your email address\.
.
.IP"2."4
Begin with an existing or new git repository\. You\'ll use the \'git secret\' commands to add the keyrings and information to make the git\-secret hide and reveal files in this repository\.
@ -25,10 +25,7 @@ Add the first user to the git\-secret repo keyring by running \fBgit secret tell
Now it\'s time to add files you wish to encrypt inside the \fBgit\-secret\fR repository\. It can be done by running \fBgit secret add <filenames\.\.\.>\fR command\. Make sure these files are ignored by mentions in \.gitignore, otherwise \fBgit\-secret\fR won\'t allow you to add them, as these files could be stored unencrypted\.
.
.IP"6."4
When done, run \fBgit secret hide\fR to encrypt all files which you have added by the \fBgit secret add\fR command\.
.
.br
The data will be encrypted with the public\-keys described by the \fBgit secret tell\fR command\. After using \fBgit secret hide\fR to encrypt your data, it is safe to commit your changes\.\fBNOTE:\fR\. It\'s recommended to add \fBgit secret hide\fR command to your \fBpre\-commit\fR hook, so you won\'t miss any changes\.
When done, run \fBgit secret hide\fR to encrypt all files which you have added by the \fBgit secret add\fR command\. The data will be encrypted with the public\-keys described by the \fBgit secret tell\fR command\. After using \fBgit secret hide\fR to encrypt your data, it is safe to commit your changes\.\fBNOTE:\fR\. It\'s recommended to add \fBgit secret hide\fR command to your \fBpre\-commit\fR hook, so you won\'t miss any changes\.
.
.IP"7."4
Later you can decrypt files with the \fBgit secret reveal\fR command, or just show their contents to stdout with the \fBgit secret cat\fR command\. If you used a password on your GPG key (always recommended), it will ask you for your password\. And you\'re done!
@ -38,7 +35,7 @@ Later you can decrypt files with the \fBgit secret reveal\fR command, or just sh
.SS"Usage: Adding someone to a repository using git\-secret"
.
.IP"1."4
Get their \fBgpg\fR public\-key\.\fBYou won\'t need their secret key\.\fR
\fIGet their \fBgpg\fR public\-key\fR\.\fBYou won\'t need their secret key\.\fR
.
.IP"2."4
Import this key into your \fBgpg\fR setup (in ~/\.gnupg or similar) by running \fBgpg \-\-import KEY_NAME\.txt\fR
@ -54,6 +51,117 @@ The newly added user cannot yet read the encrypted files\. Now, re\-encrypt the
.P
Note that it is possible to add yourself to the git\-secret repo without decrypting existing files\. It will be possible to decrypt them after re\-encrypting them with the new keyring\. So, if you don\'t want unexpected keys added, you can configure some server\-side security policy with the \fBpre\-receive\fR hook\.
.
.SS"Using gpg"
You can follow a quick gpg tutorial at https://www\.devdungeon\.com/content/gpg\-tutorial\. Here are the most useful commands to get started:
To import the public key of someone else (to share the secret with them for instance), run:
.
.IP""4
.
.nf
gpg \-\-import public\-key\.gpg
.
.fi
.
.IP""0
.
.P
Be sure to use a secure channel to share your public key!
.
.SS"Using git\-secret for Continuous Integration / Continuous Deployment (CI/CD)"
When using git\-secret for CI/CD, you get the benefit that any deployment is necessarily done with the correct configuration, since it is collocated with the changes in your code\.
.
.P
One way of doing it is the following:
.
.IP"1."4
\fIcreate a gpg key\fR for your CI/CD environment\. You can chose any name and email address you want: for instance \fBMyApp CodeShip <myapp@codeship\.com>\fR if your app is called MyApp and your CI/CD provider is CodeShip\. It is easier not to define a password for that key\.
.
.IP"2."4
run \fBgpg \-\-export\-secret\-key myapp@codeship\.com \-\-armor\fR to get your private key value
.
.IP"3."4
Create an env var on your CI/CD server \fBGPG_PRIVATE_KEY\fR and assign it the private key value\.
.
.IP"4."4
Then write your Continuous Deployment build script\. For instance:
.
.IP""0
.
.IP""4
.
.nf
# Install git\-secret (https://git\-secret\.io/installation), for instance, for debian:
echo "deb https://dl\.bintray\.com/sobolevn/deb git\-secret main" | sudo tee \-a /etc/apt/sources\.list
You can configure the version of gpg used, or the extension your encrypted files use, to suit your workflow better\. To do so, just set the required variable to the value you need\. This can be done in your shell environment file or with each \fBgit\-secret\fR command\.
.
@ -105,10 +213,7 @@ All the other internal data is stored in the directory:
This directory contains data used by git\-secret and PGP to allow and maintain the correct encryption and access rights for the permitted parties\.
.
.P
Generally speaking, all the files in this directory \fIexcept\fR\fBrandom_seed\fR should be checked into your repo\.
.
.br
By default, \fBgit secret init\fR will add the file \fB\.gitsecret/keys/random_seed\fR to your \.gitignore file\.
Generally speaking, all the files in this directory \fIexcept\fR\fBrandom_seed\fR should be checked into your repo\. By default, \fBgit secret init\fR will add the file \fB\.gitsecret/keys/random_seed\fR to your \.gitignore file\.
.
.P
Again, you can change the name of this directory using the SECRETS_DIR environment variable\.
To import the public key of someone else (to share the secret with them for instance), run:
```shell
gpg --import public-key.gpg
```
Be sure to use a secure channel to share your public key!
### Using git-secret for Continuous Integration / Continuous Deployment (CI/CD)
When using git-secret for CI/CD, you get the benefit that any deployment is necessarily done with the correct configuration, since it is collocated
with the changes in your code.
One way of doing it is the following:
1. [create a gpg key](#using-gpg) for your CI/CD environment. You can chose any name and email address you want: for instance `MyApp CodeShip <myapp@codeship.com>`
if your app is called MyApp and your CI/CD provider is CodeShip. It is easier not to define a password for that key.
2. run `gpg --export-secret-key myapp@codeship.com --armor` to get your private key value
3. Create an env var on your CI/CD server `GPG_PRIVATE_KEY` and assign it the private key value.
4. Then write your Continuous Deployment build script. For instance:
```shell
# Install git-secret (https://git-secret.io/installation), for instance, for debian:
echo "deb https://dl.bintray.com/sobolevn/deb git-secret main" | sudo tee -a /etc/apt/sources.list
Aymeric Bouzy
4 years ago
committed by
GitHub