Archives
/
git-secret
mirror of https://github.com/sobolevn/git-secret
2
1
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
gh-pages
master
sobolevn-patch-5
verbose-test-output-2024
dependabot/docker/dot-ci/release-ci/ubuntu/ubuntu-24.04
dependabot/docker/dot-ci/docker-ci/ubuntu/ubuntu-24.04
dependabot/github_actions/actions/github-script-7
sobolevn-patch-4
test-apk-and-arch
issue-881-towards-new-release
issue-916-disable-arch-tests
issue-135-spaces-in-parent-dirs
issue-918-stat-on-osx
fix-arch-signature-issue
sobolevn-patch-3
sobolevn-patch-2
sobolevn-patch-1
gitignore-grep-improvement
update-changelog
update-bats-to-1.6.0
add-multiple-files-gitignore
automated-verbose-test
passphrase1
test-on-arch
renames1
revert_usage_error_change
alma-tests
issue-765-rocky-linux
issue-755-changelog-for-bats-update
issue-638-dup-emails-test
issue-710-changelog
issue-752-add-directory
issue-710-cat-subdir-bug
v0.5.0
v0.4.0
v0.3.3
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.2
v0.1.1
v0.1.0
prerelease
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.7-alpha
v0.3.0
v0.3.1
v0.3.2
v0.4.0.alpha1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '03400da580'
${ noResults }
git-secret/man/man7/git-secret.7

167 lines
6.2 KiB
Groff
Raw Blame History

.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "GIT\-SECRET" "7" "March 2016" "" ""
.
.SH "NAME"
\fBgit\-secret\fR
.
.SH "Content"
.
.IP "1." 4
\fIIntro\fR
.
.IP "2." 4
\fIInstallation\fR
.
.IP "3." 4
\fIUsage\fR
.
.IP "" 0
.
.SH "Intro"
There\'s a known problem in server configuration and deploying, when you have to store your private data such as: database passwords, application secret\-keys, OAuth secret keys and so on, outside of the git repository\. Even if this repository is private, it is a security risk to just publish them into the world wide web\. What are the drawbacks of storing them separately?
.
.IP "1." 4
These files are not version controlled\. Filenames change, locations change, passwords change from time to time, some new information appears, other is removed\. And you can not tell for sure which version of the configuration file was used with each commit\.
.
.IP "2." 4
When building the automated deployment system there will be one extra step: download and place these secret\-configuration files where they need to be\. So you have to maintain an extra secure server, where everything is stored\.
.
.IP "" 0
.
.SS "How does <code>git\-secret</code> solve these problems?"
.
.IP "1." 4
\fBgit\-secret\fR encrypts files and stores them inside the \fBgit\fR repository, so you will have all the changes for every commit\.
.
.IP "2." 4
\fBgit\-secret\fR doesn\'t require any other deploy operations rather than \fBgit secret reveal\fR, so it will automatically decrypt all the required files\.
.
.IP "" 0
.
.SS "What is <code>git\-secret</code>?"
\fBgit\-secret\fR is a bash tool to store your private data inside a \fBgit\fR repo\. How\'s that? Basically, it just encrypts, using \fBgpg\fR, the tracked files with the public keys of all the users that you trust\. So everyone of them can decrypt these files using only their personal secret key\. Why deal with all this private\-public keys stuff? Well, to make it easier for everyone to manage access rights\. There are no passwords that change\. When someone is out \- just delete his public key, reencrypt the files, and he won\'t be able to decrypt secrets anymore\.
.
.SH "Installation"
.
.SS "Dependencies"
\fBgit secret\fR relies on two dependecies: \fBgit\fR \fIhttps://git\-scm\.com/\fR and \fBgpg\fR \fIhttps://www\.gnupg\.org/\fR\. Download and install them before using this project\. \fBgit\-secret\fR is tested to work with:
.
.IP "" 4
.
.nf
git version 2\.7\.0
gpg (GnuPG) 1\.4\.20
.
.fi
.
.IP "" 0
.
.SS "Supported platforms"
\fBgit secret\fR works with \fBMac OS X\fR >= 10\.9, \fBUbuntu\fR >= 14\.04 and \fBDebian\fR >= 8\.3 You can add your platform to this list, if all the tests pass for you\. \fBCygwin\fR support is planned\.
.
.SS "Installation process"
There are several ways to install \fBgit\-secret\fR:
.
.P
\fBBrew\fR
.
.IP "1." 4
Run \fBbrew install sobolevn/tap/git\-secret\fR
.
.IP "" 0
.
.P
\fB\fBantigen\fR plugin (or any other \fBoh\-my\-zsh\fR\-styled plugin\-systems)\fR
.
.IP "1." 4
Add line \fBantigen bundle sobolevn/git\-secret\fR to your \fB\.zshrc\fR
.
.IP "2." 4
Run \fBsource ~/\.zshrc\fR or reopen the terminal
.
.IP "" 0
.
.P
\fB\fBmake install\fR\fR
.
.IP "1." 4
Download the latest realease here \fIhttps://github\.com/sobolevn/git\-secret/releases\fR
.
.IP "2." 4
Unpack and run \fBmake install PREFIX="your/installation/path"\fR, note that this command may require \fBsudo\fR
.
.IP "" 0
.
.P
\fBThe hard way\fR
.
.IP "1." 4
Clone the repository first: \fBgit clone https://github\.com/sobolevn/git\-secret\.git git\-secret\fR
.
.IP "2." 4
Run \fBcd git\-secret && make build\fR
.
.IP "3." 4
Move \fBgit\-secret\fR file and \fBman/\fR folder somewhere inside your \fB$PATH\fR, or extend your \fB$PATH\fR to contain \fBgit\-secret\fR file and \fBman/\fR folder
.
.IP "" 0
.
.P
\fBLocal \fB\.deb\fR package\fR
.
.IP "1." 4
Download the latest realease here \fIhttps://github\.com/sobolevn/git\-secret/releases\fR
.
.IP "2." 4
Unpack, and run \fBmake build\-deb\fR, it is possible to set the output folder with \fB$SCRIPT_BUILD_DIR\fR variable\.
.
.IP "3." 4
Install the local \fB\.deb\fR package with \fBdpkp \-i git\-secret\-package\-name\.deb\fR, note that this command may require \fBsudo\fR and the package name will be different
.
.IP "" 0
.
.SH "Usage"
These steps cover the basic process of using \fBgit\-secret\fR:
.
.IP "1." 4
Before starting, make sure you have created \fBgpg\fR RSA key\-pair: public and secret key identified by your email address\.
.
.IP "2." 4
Initialize \fBgit\-secret\fR repository by running \fBgit secret init\fR command\. \fB\.gitsecret/\fR folder will be created\.
.
.IP "3." 4
Add first user to the system by running \fBgit secret tell your@gpg\.email\-id\fR\.
.
.IP "4." 4
Now it\'s time to add files you wish to encrypt inside the \fBgit\-secret\fR repository\. It can be done by running \fBgit secret add <filenames\.\.\.>\fR command\. Make sure these files are ignored, otherwise \fBgit secret\fR won\'t allow you to add them, as these files will be stored unencrypted\.
.
.IP "5." 4
When done, run \fBgit secret hide\fR all files, which you have added by \fBgit secret add\fR command will be encrypted with added public\-keys by the \fBgit secret tell\fR command\. Now it is safe to commit your changes\. \fBBut\fR\. It\'s recommended to add \fBgit secret hide\fR command to your \fBpre\-commit\fR hook, so you won\'t miss any changes\.
.
.IP "6." 4
Now decrypt files with \fBgit secret reveal\fR command\. It will ask you for your password\. And you\'re done!
.
.IP "" 0
.
.SS "I want to add someone to the repository"
.
.IP "1." 4
Get his \fBgpg\fR public\-key\. \fBYou won\'t need their secret key\.\fR
.
.IP "2." 4
Import this key inside your \fBgpg\fR by running \fBgpg \-\-import KEY_NAME\fR
.
.IP "3." 4
Now add this person to the \fBgit\-secret\fR by running \fBgit secret tell persons@email\.id\fR
.
.IP "4." 4
Reencypt the files, now they will be able to decrypt them with their secret key\.
.
.IP "" 0
.
.P
Note, that it is possible to add yourself to the system without decrypting existing files\. It will be possible to decrypt them after reencrypting them with the new keyring\. So, if you don\'t want unexpected keys added, make sure to configure some server\-side security policy with the \fBpre\-receive\fR hook\.
Reference in New Issue View Git Blame Copy Permalink