3.2 KiB
layout | title | date | permalink | categories |
---|---|---|---|---|
post | git-secret-hide | 2023-12-28 15:37:04 +0000 | git-secret-hide | command |
git-secret-hide - encrypts all added files with repo keyring.
SYNOPSIS
git secret hide [-c] [-F] [-P] [-v] [-d] [-m]
DESCRIPTION
git-secret-hide
- writes an encrypted version of each file added by git-secret-add
command.
Then anyone enabled via git secret tell
can decrypt these files.
Under the hood, git-secret
uses the keyring of public keys in .gitsecret/keys
to encrypt files,
encrypted versions are typically called filename.txt.secret
.
Later permitted users can use their secret key (typically from their home directory) to decrypt files.
It is recommended to encrypt (or re-encrypt) all the files in a git-secret
repo each
time git secret hide
is run.
Otherwise the keyring (the one stored in .gitsecret/keys/*.gpg
),
may have changed since the last time the files were encrypted, and it's possible
to create a state where the users in the output of git secret whoknows
may not be able to decrypt the some files in the repo, or may be able decrypt files
they're not supposed to be able to.
In other words, unless you re-encrypt all the files in a repo each time you hide
any,
it's possible to make it so some files can no longer be decrypted by users who should be
(and would appear) able to decrypt them, and vice-versa.
If you know what you are doing and wish
to encrypt or re-encrypt only a subset of the files
even after reading the above paragraphs, you can use the -F
or -m
options.
The -F
option forces git secret hide
to skip any hidden files
where the unencrypted versions aren't present.
The -m
option skips any hidden files that have
not be been modified since the last time they were encrypted.
OPTIONS
-v - verbose, shows extra information.
-c - deletes encrypted files before creating new ones.
-F - forces hide to continue if a file to encrypt is missing.
-P - preserve permissions of unencrypted file in encrypted file.
-d - deletes unencrypted files after encryption.
-m - encrypt files only when modified.
-h - shows help.
ENV VARIABLES
SECRETS_GPG_COMMAND
changes the defaultgpg
command to anything elseSECRETS_GPG_ARMOR
is a boolean to enable--armor
mode to store secrets in text format over binarySECRETS_DIR
changes the default.gitsecret/
folder to another name as documented at git-secret(7)SECRETS_EXTENSION
changes the default.secret
file extensionSECRETS_VERBOSE
changes the output verbosity as documented at git-secret(7)SECRETS_PINENTRY
changes thegpg --pinentry
mode as documented at git-secret(7)
MANUAL
Run man git-secret-hide
to see this document.
SEE ALSO
git-secret-init(1), git-secret-tell(1), git-secret-add(1), git-secret-reveal(1), git-secret-cat(1)