Git - Store encrypted files

In

Store keys encrypted with code in git repo

Create a GPG pair

  • To generate a RSA key-pair

    1
    gpg --gen-key

  • Export your public key

    1
    gpg --export your.email@address.com --armor > public-key.gpg

  • Import the public key of someone else (to share the secret with them)

    1
    gpg --import public-key.gpg

Git-crypt

Install

  • Check git-crypt
  • Manual
    1
    2
    3
    4
    git clone https://www.agwa.name/git/git-crypt.git
    cd git-crypt
    make
    make install

Set up

  • Configure a repository

    1
    2
    cd repo
    git-crypt init

  • Specify files to encrypt by creating a .gitattributes file in the repository

    1
    2
    3
    secretfile filter = git-crypt diff=git-crypt
    *.key filter = git-crypt diff=git-crypt
    secretdir/** filter = git-crypt diff=git-crypt
    • Like a .gitignore file, it can match wildcards and should be checked into the repository.
    • Make sure you don’t accidentally encrypt the .gitattributes file itself (or other git files like .gitignore or .gitmodules).
    • Make sure your .gitattributes rules are in place before you add sensitive files, or those files won’t be encrypted!

Share (with GPG Mode)

  • Share the repository with others (or with yourself) using GPG

    1
    2
    3
    # USER_ID can be a key ID, a full fingerprint, an email address...
    git-crypt add-gpg-user USER_ID
    # a GPG-encrypted key file is added and commited in the `.git-crypt` directory

  • After cloning a repository with encrypted files, unlock it

    1
    git-crypt unlock

Git secret

Install

  • Check git-secret
  • Manual
    1
    2
    3
    git clone https://github.com/sobolevn/git-secret.git git-secret
    cd git-secret && make build
    PREFIX="/usr/local" make install

Setup

  • Add the keyrings and information to make git-secret hide and reveal files in the repo
    1
    2
    3
    # create the .gitsecret/ dir
    git secret init
    # it will also add the file .gitsecret/keys/random_seed` to your `.gitignore`
  • Add the first user to the git-secret repo keyring
    1
    git secret tell your@gpg.email
  • Add files you wish to encrypt inside the git-secret repository
    1
    2
    git secret add <filenames...>
    # those unencrypted files will also be added to .gitignore
  • Encrypt with the public-keys described by the git secret tell command
    1
    2
    # it is recommended to add this command to pre-commit hook
    git secret hide
  • Decrypt (it will require password)
    1
    2
    3
    4
    # decrypt
    git secret reveal
    # just show decrypted on screen
    git secret cat

Share (with GPG Mode)

  • Get their gpg public-key (the secret key is not needed)
  • Import this key into your gpg keyring (in ~/.gnupg or similar)
    1
    gpg --import KEY_NAME.txt
  • Add this person to your secrets repo
    1
    2
    # tell email address associated with the public key
    git secret tell persons@email.id
  • Re-encrypt the encrypted files
    1
    2
    # -d deletes the unencrypted after encrypting
    git secret reveal; git secret hide -d
  • Check it worked as expected by decrypting
    1
    git secret reveal