Git Secret
Updated on 28 Dec 2018
This tutorial will show you how to use git-secret.io to encrypt configuration files before they get pushed onto github, and decrypted when they get pulled down.
Installation
Installation of git-secret is fairly straight-forward, however it is not part of the standard aptitude packages. So we need to add it.
echo "deb https://dl.bintray.com/sobolevn/deb git-secret main" | sudo tee -a /etc/apt/sources.list
wget -qO - https://api.bintray.com/users/sobolevn/keys/gpg/public.key | sudo apt-key add -
sudo apt-get update
sudo apt-get install git-secret
Initialization
Just like you initialize your git project, you also need to initialize git secret. There are just a couple of steps needed.
git secret initinitialize git-secret on your project.git secret tell useradd a user to the secret list
Once that has been done, we can start adding files with git secret add.
Add a file to be encrypted
and simultaneously add the ‘unencrypted’ file to the .gitignore list. Once you have added a file, it will stay in the encrypted list until you remove it.
git secret add -i secret-file1.txt
The -i option means that the file is automatically added to .gitignore. Without it, you would need to add the file manually otherwise git will add both your encrypted file, and the unencrypted one.
git-secret: abort: file tracked in git…
If you are adding files to git-secret retrospectivily, you may have an error such as the one below.
git-secret: abort: file tracked in git, consider using 'git rm --cached AUTHORS.txt'
If this is the case, you will need to remove the file from git tracking.
git rm --cached <filename>
And then continue onwards…
Additional I will write another section soon on how to remove a file from git history.
Encrypt files
git secret hide
This will encrypt the files that you added in the previous step. The encrypted files will have a .secret extension. I’ve already added several other files to the list already - hence why 3 files are being encrypted with this call.
Decrypt files
git secret reveal
Use -f to remove the warning messages.
Remove encrypted files from local machine
git secret clean
Remove a file from the encryption list
git secret remove secret_file1.txt
N.B. this does not remove the entry from the .gitignore file. You will need to do this manually.
List all the files in the encryption list
git secret list
List all the users that can access the encrypted files
git secret whoknows
Add a user to the encryption ring
This requires the use gpg with a public / private key pair. The private key stays with the developer, but we need to import the public key into the gpg keystore and then add the key to the git secret encryption ring. My other notes talk about importing keys. Also I believe that the key (with email address as Id) should match the git account email address that is being used.
git secret tell sooty@sooty.com
NB Once you’ve added a user to the encryption ring, you will need to re-encrypt the files again in-order for the other developer to access the files.
Remove a user from the encryption ring
git secret killperson sooty@sooty.com
NB Once you’ve removed a user, you can re-encrypt the files (will be done without their public key), and they won’t be able to access the files anymore.