@ -5,27 +5,28 @@ git-secret - bash tool to store private data inside a git repo.
These steps cover the basic process of using `git-secret`:
0. Before starting, [make sure you have created `gpg` RSA key-pair](#using-gpg): public and secret key identified by your email address.
0. Before starting, [make sure you have created a `gpg` RSA key-pair](#using-gpg): a public and a secret key identified by your email address.
1. Begin with an existing or new git repository. You'll use the 'git secret' commands to add the keyrings and information
to make the git-secret hide and reveal files in this repository.
to make `git-secret` hide and reveal files in this repository.
2. Initialize the `git-secret` repository by running `git secret init` command. the `.gitsecret/` folder will be created,
**Note** all the contents of the `.gitsecret/` folder should be checked in, /except/ the `random_seed` file.
In other words, of the files in .gitsecret, only the random_seed file should be mentioned in your .gitignore file.
2. Initialize the `git-secret` repository by running `git secret init` command. The `.gitsecret/` folder will be created.
**Note** all the contents of the `.gitsecret/` folder should be checked in, **/except/** the `random_seed` file.
In other words, of all the files in `.gitsecret/`, only the `random_seed` file should be mentioned in your `.gitignore` file.
By default, `git secret init` will add the file `.gitsecret/keys/random_seed` to your `.gitignore` file.
3. Add the first user to the git-secret repo keyring by running `git secret tell your@gpg.email`.
3. Add the first user to the `git-secret` repo keyring by running `git secret tell your@gpg.email`.
4. Now it's time to add files you wish to encrypt inside the `git-secret` repository.
It can be done by running `git secret add <filenames...>` command. Make sure these files are ignored by mentions in
.gitignore, otherwise `git-secret` won't allow you to add them, as these files could be stored unencrypted.
This can be done by running `git secret add <filenames...>` command. Make sure these files are ignored by mentions in
`.gitignore`, otherwise `git-secret` won't allow you to add them, as these files could be stored unencrypted. In the default configuration, `git-secret add` will automatically add the unencrypted versions of the files to `.gitignore` for you.
5. When done, run `git secret hide` to encrypt all files which you have added by the `git secret add` command.
The data will be encrypted with the public-keys described by the `git secret tell` command.
After using `git secret hide` to encrypt your data, it is safe to commit your changes.
**NOTE:**. It's recommended to add `git secret hide` command to your `pre-commit` hook, so you won't miss any changes.
**NOTE:** It's recommended to add the `git secret hide` command to your `pre-commit` hook, so you won't miss any changes.
6. Later you can decrypt files with the `git secret reveal` command, or just show their contents to stdout with the
6. Later you can decrypt files with the `git secret reveal` command, or just print their contents to stdout with the
`git secret cat` command. If you used a password on your GPG key (always recommended), it will ask you for your password.
And you're done!
@ -33,7 +34,7 @@ And you're done!
1. [Get their `gpg` public-key](#using-gpg). **You won't need their secret key.**
2. Import this key into your `gpg` setup (in ~/.gnupg or similar) by running `gpg --import KEY_NAME.txt`
2. Import this key into your `gpg` keyring (in `~/.gnupg` or similar) by running `gpg --import KEY_NAME.txt`
3. Now add this person to your secrets repo by running `git secret tell persons@email.id`
(this will be the email address associated with the public key)
@ -41,7 +42,7 @@ And you're done!
4. The newly added user cannot yet read the encrypted files. Now, re-encrypt the files using
`git secret reveal; git secret hide -d`, and then commit and push the newly encrypted files.
(The -d options deletes the unencrypted file after re-encrypting it).
Now the newly added user be able to decrypt the files in the repo using `git-secret`.
Now the newly added user will be able to decrypt the files in the repo using `git-secret reveal`.
Note that it is possible to add yourself to the git-secret repo without decrypting existing files.
It will be possible to decrypt them after re-encrypting them with the new keyring. So, if you don't
@ -49,7 +50,7 @@ want unexpected keys added, you can configure some server-side security policy w
### Using gpg
You can follow a quick gpg tutorial at https://www.devdungeon.com/content/gpg-tutorial. Here are the most useful commands to get started:
You can follow a quick `gpg` tutorial at [devdungeon](https://www.devdungeon.com/content/gpg-tutorial). Here are the most useful commands to get started:
To generate a RSA key-pair, run:
@ -69,11 +70,11 @@ To import the public key of someone else (to share the secret with them for inst
gpg --import public-key.gpg
```
Be sure to use a secure channel to share your public key!
To make sure you get the original public keys of the indicated persons, be sure to use a secure channel to transfer it, or use a service you trust, preferably one that uses encryption such as Keybase, to retrieve their public key. Otherwise you could grant the wrong person access to your secrets by mistake!
### Using git-secret for Continuous Integration / Continuous Deployment (CI/CD)
When using git-secret for CI/CD, you get the benefit that any deployment is necessarily done with the correct configuration, since it is collocated
When using `git-secret` for CI/CD, you get the benefit that any deployment is necessarily done with the correct configuration, since it is collocated
teutates
4 years ago
committed by
GitHub