Skip to content

Git - share secrets

Abstract

In some cases you want to securely share secrets with other teammates. Furthermore you want to have a history of those secrets. For this purpose Git crypt helps you to handle secrets within your git repository.

git-crypt enables transparent encryption and decryption of files in a git repository. Files which you choose to protect are encrypted when committed, and decrypted when checked out. git-crypt lets you freely share a repository containing a mix of public and private content.

Some features

  • No accidentaly push secrets in clear text
  • Possible to Share credentials
  • Put credentials into version control

Installation

First we need to install git-crypt

We need make for the installation. Please clone the repo and use the following commands. Please cd in a temporary directory first.

git clone git@github.com:AGWA/git-crypt.git
cd git-crypt
make
make install

Remarks

  • for details please check install instructions to install git-crpyt.
  • For users with docker knowledge: have prepared a docker image where git-secret is already installed.
  • docker run -v <local_git_repo>:/home/git-secrets/ andyaugustin/git-secrets:main git-crypt

Setup

GPG

We need a key-pair (maybe in reality it is already created for your mail adress) Use the mail adress which is added to your git user

First we want to check those settings

$ git config --global user.email
john.doe@dummy.fake
$ git config --global user.name
John Doe

keep those entries in your mind or write them down :evil_imp:

Now we want to generate the gpg key. Type in the name and mail you just received.

gpg --gen-key

git-crypt

We need to have a git repository available. Please create a repository with name git-crypt-test in your favourite git provider (e.q. GitHub, GitLab, Gitea, ...). Please clone the repository and cd into it.

git clone <use_your_repo_url>/git-crypt-test
cd git-crypt-test

Now we need to init git-crypt

git-crypt init

Now we want to specify files we want to monitor and handle with git-crypt That is easy. Therefore we just need to add a .gitattributes file with the files we want to encrypt.

echo "secretfile filter=git-crypt diff=git-crypt\n*.key filter=git-crypt diff=git-crypt\nsecretdir/** filter=git-crypt diff=git-crypt" >> .gitattributes

The content of the .gitattributes file should look now

secretfile filter=git-crypt diff=git-crypt
*.key filter=git-crypt diff=git-crypt
secretdir/** filter=git-crypt diff=git-crypt

This is like a .gitignore file and has the following content.

  • handle all files with name secretfile with git-crypt
  • handle all files with extension *.key with git-crypt
  • handle all files within directory secretdir/ with git-crypt

Now we add our git user to the secrets. Therefore we need to get the id of our gpg key.

gpg --list-key $(git config --global user.email)

(The id is at pub between / and the date).

Copy it to any text editor.

Now we add the key to the keyring of the local git repository database. Please replace with the id you copied to the text editor.

git-crypt add-gpg-user <USER_ID>

Now we add a file for encryption.

echo "This file will be encrypted" >> to_encrypt.key

and commit our changes

git add .
git commit -m "add file to encrypt :lock:"

Now lock the file and check it

git-crypt lock

just check the file

cat to_encrypt.key

it is encrypted. For unlocking type

git-crypt unlock

Check the file again

cat to_encrypt.key

The nice thing is that it is not possible to push the unencrypted file to git repo. Lets test it.

git add .
git commit -m "add encrypted file"
git push

Check the file in your favourite git provider. You can see that it is encrypted.

Add users to git-crypt database

To add a user to git-crypt you need the public gpg file. Just tell the other users to use the following command

gpg --armor --output public-key.gpg --export <key_mail_address>

Import the key file into your gpg keyring and add trust level ultimate

gpg --import public-key.gpg
# get the id of the imported key
gpg --list-key <key_mail_address>
gpg --edit-key <key_id>
trust
# We need ultimate trust, so choose 5
save

now you are able to add the user as before with

# the user_id is the id of the user in your public key_ring
git-crypt add-gpg-user <USER_ID>

Now the other user is able to decrypt the file with git-crypt in the git repository :rocket:

ko-fi