Archives
/
git-secret
mirror of https://github.com/sobolevn/git-secret
2
1
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/docker/dot-ci/releaser/alpine/alpine-3.20.0
dependabot/docker/dot-ci/release-ci/alpine/alpine-3.20.0
dependabot/docker/dot-ci/docker-ci/alpine/alpine-3.20.0
dependabot/github_actions/JamesIves/github-pages-deploy-action-4.6.1
master
verbose-test-output-2024
dependabot/docker/dot-ci/release-ci/debian/debian-12.5-slim
dependabot/docker/dot-ci/docker-ci/debian-gnupg1/debian-12.5-slim
dependabot/docker/dot-ci/docker-ci/debian-gnupg2/debian-12.5-slim
gh-pages
dependabot/docker/dot-ci/release-ci/ubuntu/ubuntu-24.04
dependabot/docker/dot-ci/docker-ci/ubuntu/ubuntu-24.04
dependabot/github_actions/actions/github-script-7
sobolevn-patch-4
test-apk-and-arch
issue-881-towards-new-release
issue-916-disable-arch-tests
issue-135-spaces-in-parent-dirs
issue-918-stat-on-osx
fix-arch-signature-issue
sobolevn-patch-3
sobolevn-patch-2
sobolevn-patch-1
gitignore-grep-improvement
update-changelog
update-bats-to-1.6.0
add-multiple-files-gitignore
automated-verbose-test
passphrase1
test-on-arch
renames1
revert_usage_error_change
alma-tests
issue-765-rocky-linux
issue-755-changelog-for-bats-update
issue-638-dup-emails-test
issue-710-changelog
issue-752-add-directory
issue-710-cat-subdir-bug
v0.5.0
v0.4.0
v0.3.3
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.2
v0.1.1
v0.1.0
prerelease
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.7-alpha
v0.3.0
v0.3.1
v0.3.2
v0.4.0.alpha1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
git-secret/docs/_includes/why.md

2.2 KiB
Raw Permalink Blame History

Intro

There's a well known issue with deploying and configuring software on servers: generally you have to store your private data (such as database passwords, application secret-keys, OAuth secret keys, etc) outside of the git repository.

If you do choose to store these secrets unencrypted in your git repo, even if the repository is private, it is a security risk to copy the secrets everywhere you check out your repo.

What are some drawbacks of storing secrets separately from your git repo?

  1. These files are not version controlled. Filenames, locations, and passwords change from time to time, or new information appears, and other information is removed. When secrets are stored separately from your repo, you can not tell for sure which version of the configuration file was used with each commit or deploy.

  2. When building the automated deployment system there will be one extra step: download and place these secret-configuration files where they need to be. This also means you have to maintain extra secure servers where all your secrets are stored.

How does git-secret solve these problems?

  1. git-secret encrypts files and stores them inside your git repository, providing a history of changes for every commit.
  2. git-secret doesn't require any extra deploy operations other than providing the appropriate private key (to allow decryption), and using git secret reveal to decrypt all the secret files.

What is git-secret?

git-secret is a bash tool to store your private data inside a git repo.

How's that? Basically, it uses gpg to encrypt files with the public keys of the users that you trust, and which you have specified with git secret tell email@address.id. Then these users can decrypt these files using their personal secret key.

Why deal with all this private/public key stuff? To make it easier to manage access rights. When you want to remove someone's access, use git secret removeperson email@address.id to delete their public key from your repo's git-secret keyring, and reencrypt the files. Then they won't be able to decrypt secrets anymore.

git-secret terminal preview