Abstract
In some cases you want to securely share secrets with other teammates. Furthermore you want to have a history of those secrets. For this purpose Git crypt helps you to handle secrets within your git repository.
git-crypt enables transparent encryption and decryption of files in a git repository. Files which you choose to protect are encrypted when committed, and decrypted when checked out. git-crypt lets you freely share a repository containing a mix of public and private content.
Some features
- No accidentaly push secrets in clear text
- Possible to Share credentials
- Put credentials into version control
Installation
First we need to install git-crypt
We need make for the installation.
Please clone the repo and use the following commands.
Please cd in a temporary directory first.
git clone git@github.com:AGWA/git-crypt.git
cd git-crypt
make
make install
Remarks
- for details please check install instructions to install git-crpyt.
- For users with docker knowledge: have prepared a docker image where git-secret is already installed.
docker run -v <local_git_repo>:/home/git-secrets/ andyaugustin/git-secrets:main git-crypt
Setup
GPG
We need a key-pair (maybe in reality it is already created for your mail adress) Use the mail adress which is added to your git user
First we want to check those settings
$ git config --global user.email
john.doe@dummy.fake
$ git config --global user.name
John Doe
keep those entries in your mind or write them down :evil_imp:
Now we want to generate the gpg key. Type in the name and mail you just received.
gpg --gen-key
git-crypt
We need to have a git repository available. Please create a repository with name git-crypt-test in your favourite
git provider (e.q. GitHub, GitLab, Gitea, …).
Please clone the repository and cd into it.
git clone <use_your_repo_url>/git-crypt-test
cd git-crypt-test
Now we need to init git-crypt
git-crypt init
Now we want to specify files we want to monitor and handle with git-crypt That is easy. Therefore we just need to add a .gitattributes file with the files we want to encrypt.
echo "secretfile filter=git-crypt diff=git-crypt\n*.key filter=git-crypt diff=git-crypt\nsecretdir/** filter=git-crypt diff=git-crypt" >> .gitattributes
The content of the .gitattributes file should look now
secretfile filter=git-crypt diff=git-crypt
*.key filter=git-crypt diff=git-crypt
secretdir/** filter=git-crypt diff=git-crypt
This is like a .gitignore file and has the following content.
- handle all files with name secretfile with git-crypt
- handle all files with extension *.key with git-crypt
- handle all files within directory secretdir/ with git-crypt
Now we add our git user to the secrets. Therefore we need to get the id of our gpg key.
gpg --list-key $(git config --global user.email)
(The id is at pub between / and the date).
Copy it to any text editor.
Now we add the key to the keyring of the local git repository database. Please replace <USER_ID> with the id you copied to the text editor.
git-crypt add-gpg-user <USER_ID>
Now we add a file for encryption.
echo "This file will be encrypted" >> to_encrypt.key
and commit our changes
git add .
git commit -m "add file to encrypt 🔒"
Now lock the file and check it
git-crypt lock
just check the file
cat to_encrypt.key
it is encrypted. For unlocking type
git-crypt unlock
Check the file again
cat to_encrypt.key
The nice thing is that it is not possible to push the unencrypted file to git repo. Lets test it.
git add .
git commit -m "add encrypted file"
git push
Check the file in your favourite git provider. You can see that it is encrypted.
Add users to git-crypt database
To add a user to git-crypt you need the public gpg file. Just tell the other users to use the following command
gpg --armor --output public-key.gpg --export <key_mail_address>
Import the key file into your gpg keyring and add trust level ultimate
gpg --import public-key.gpg
# get the id of the imported key
gpg --list-key <key_mail_address>
gpg --edit-key <key_id>
trust
# We need ultimate trust, so choose 5
save
now you are able to add the user as before with
# the user_id is the id of the user in your public key_ring
git-crypt add-gpg-user <USER_ID>
Now the other user is able to decrypt the file with git-crypt in the git repository 🚀
