WRITELOOP

GIT-SECRET COOKBOOK

2021 September 17

I have been searching for a simple way to manage secrets on a repository, leveraging known tools. Then I came across git-secret for that purpose. It provides the following features:

  • Encrypts the files will all users' public keys; decrypts with the user private key
  • A new user will not immediately be able do decrypt files, they have to be re-encrypted by the owner
  • To remove a user’s access to the files, just remove his public key and re-encrypt the files Below is a cookbook on how to install and do common operations with it.

Cookbook

  • Enable git-secret on a repository:
$ sudo rpm install git-secret  # (must be downloaded from git-secret.io if not on the repository)
$ gpg --gen-key  # generate gpg key (fill in real name with a unique name, and the email with the email)
$ git secret init  # to initialize the secret feature
$ git secret tell <email-from-the-user-gpg-key>  # add a user so he can see the secrets
$ git secret add -i <file>  # add the file that has the secret, and auto-adds to .gitignore also
$ git secret hide -d # encrypt/re-encrypt files (-d removes the file after the encryption is done)
$ git secret reveal  # decrypt secret files
  • Add a new user to see the secrets:
$ # he must also install git-secret
$ gpg --gen-key  # generate gpg key (fill in real name with a unique name, and the email with the email)
$ gpg --armor --output key.txt --export <email-used-on-the-generated-key>  # export the public key
$ # (send the key.txt file to the owner - so that he can enable this key to the repository)
$ # BELOW MUST BE DONE BY THE OWNER:
$ gpg --import key.txt  # import the new user key
$ git secret tell <email-from-the-user-gpg-key>  # add the new user with the email he used on the public key, so he can see the secrets
$ # re-encrypt the files:
$ git secret reveal  # decrypt all files
$ git secret hide -d  # re-encrypt the files (-d removes the raw ones after the encryption is done)
$ # add, commit and push to the repository
$ # he must clone the repository and enter the folder into where it was cloned
$ git pull
$ git secret reveal
  • Remove secret file from REPOSITORY (to remove it from version control):
# reveal all secrets first, then:
git secret remove -c <file>  # this must be the raw file, NOT the `.secret`
# then, you must also remove <file> on .gitignore

IMPORTANT: To remove a revealed (raw) file with secrets from the filesystem (your current local copy), just use a simple rm command. e.g.: rm <file>

  • Remove a user’s access to the secrets on REPOSITORY:
$ git secret killperson their@email.com
$ # re-encrypt the files as explained above, and they won't be able to decrypt secrets anymore
$ # add, commit and push to the repository

TAGS

GIT SECRETS SECURITY ENCRYPTION