How to Install and Use Git-Secret

Posted on January 14, 2020 by David Singer

Category: Technical Support | Tags: Bash, Encrypt, Encryption, Git, Git Clone, Git Command, Git Environment, Git Repo, Git-Hook, Git-Secret, Gitconfig, GitHub, GnuPG, GPG, GPG Key, GPG Keypair, Keypair, Keys, PGP, Private Keys, Public Keys, Security, Security Practices, Ubuntu, Ubuntu 18.04

Reading Time: 3 minutes

What is Git-Secret?

Git-secret is a bash tool that is used to store your private files and information inside of a git repo on your server. The git-secret tool allows us to encrypt sensitive files that are stored inside a secure, encrypted repository. In this article, we will be examining the process of installing and working with git-secret on an 18.04 Ubuntu Server.

Prerequisites:

An 18.04 Ubuntu Server
A user with sudo privileges or be logged in as the root user
Git version 2.7.0 installed >
gpg (GnuPG) version 2.2.4 >

Installation

In order to install git-secret, we will begin by adding in a third-party repository to our /etc/apt/sources.list file.

echo "deb https://dl.bintray.com/sobolevn/deb git-secret main" | sudo tee -a /etc/apt/sources.list

As soon as this is complete, we can then download and install the gpg key for the repository. For this, we use the bash command:

wget -qO - https://api.bintray.com/users/sobolevn/keys/gpg/public.key | sudo apt-key add -

Next, we can install git-secret using the normal install commands.

sudo apt-get update && sudo apt-get install git-secret

Add a GPG Key

Once we have git-secret installed, we need to add a gpg keypair to encrypt our data. If you do not have a gpg keypair setup, one must be created. To accomplish this, we use the gpg command:

gpg --full-generate-key

In order to create your keys, you will need to answer a few questions about who you are, what email address you would like to use, and a passphrase. GPG then collects random seed data and finishes by outputting a key pair, one public, one private. Once this is complete, we can move on to the next step of incorporating git-secret.

How Do I Use Git-Secret

Our initial task is to initialize the git-secret repo using the command:

git-secret init

If you have not set up a local git repository, you will be prompted to create or initialize one now. We can accomplish this with the command:

git init

Once this has been completed, we will go back and re-run the command:

git-secret init

Then, we will need to add an email address associated with the new key pair similar to what we did when creating the gpg key pair above. To accomplish this, use the command:

git-secret tell you@domain.com

This email should be the same as the email address you used with your gpg keys.

Now we can start adding files to your new secret repo with this command:

git-secret add filename.ext

We can also add multiple files by simply leaving a space in between the file names like so:

git-secret add file1.ext file2.ext file3.ext file4.ext

Once we have added the files to the secret repo, we can securely encrypt them using this command:

git-secret hide

Now that we have secured those files, we can commit our changes. We recommend incorporating the git-secret command into your git-hook config to ensure your changes are appropriately noted.

As a side note, Git hook scripts are useful for recognizing simple problems before they are submitted for a code review. You can run hook scripts on all of your commits to automatically point out smaller issues in your code, such as missing semicolons, trailing whitespace, and debug statements.

To decrypt a file or files, we can use the command:

git-secret reveal

Add Users

If you share a repository with other developers and need to add them as a user, we need to import their public gpg key using the command:

gpg --import key.txt

This step is useful for allowing other devs that are working on a project with you to encrypt and decrypt the files in your repo. Once their key is entered, we can add them to the secrets repository using the command:

git-secret tell user@domain.com

This entry will associate the user's email with the recently imported gpg key. Once this has been completed, those devs now have access to the data in the repo. Then, they will be able to work with the files using their gpg key passphrase, which will encrypt and decrypt the files.

Lastly, we can review the contents of a file using the command:

git secret cat

If the data is encrypted, git-secret/gpg will ask for your passphrase to decrypt the file.

That's it! You should now have a good working knowledge of git-secret and the many benefits it has to offer. Here is the full documentation for git-secret.

Our Support Teams are replete with talented Linux technicians and System administrators who have an intimate knowledge of multiple web hosting technologies, especially those discussed in this article. If you are a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Private Parent server or a Dedicated server owner and you are uncomfortable with performing any of the steps outlined, we can be reached via phone @800.580.4985, a chat or support ticket to assisting you with this process.

About the Author: David Singer

I am a g33k, Linux blogger, developer, student, and former Tech Writer for Liquidweb.com. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....