What is Git-Secret?
Git-secret is a bash tool that is used to store your private files and information inside of a git repo on your server. The git-secret tool allows us to encrypt sensitive files that are stored inside a secure, encrypted repository. In this article, we will be examining the process of installing and working with git-secret on an 18.04 Ubuntu Server.
- An 18.04 Ubuntu Server
- A user with sudo privileges or be logged in as the root user
- Git version 2.7.0 installed >
- gpg (GnuPG) version 2.2.4 >
In order to install git-secret, we will begin by adding in a third-party repository to our /etc/apt/sources.list file.
echo "deb https://dl.bintray.com/sobolevn/deb git-secret main" | sudo tee -a /etc/apt/sources.list
As soon as this is complete, we can then download and install the gpg key for the repository. For this, we use the bash command:
wget -qO - https://api.bintray.com/users/sobolevn/keys/gpg/public.key | sudo apt-key add -
Next, we can install git-secret using the normal install commands.
sudo apt-get update && sudo apt-get install git-secret
Add a GPG Key
Once we have git-secret installed, we need to add a gpg keypair to encrypt our data. If you do not have a gpg keypair setup, one must be created. To accomplish this, we use the gpg command:
In order to create your keys, you will need to answer a few questions about who you are, what email address you would like to use, and a passphrase. GPG then collects random seed data and finishes by outputting a key pair, one public, one private. Once this is complete, we can move on to the next step of incorporating git-secret.
How Do I Use Git-Secret
Our initial task is to initialize the git-secret repo using the command:
If you have not set up a local git repository, you will be prompted to create or initialize one now. We can accomplish this with the command:
Once this has been completed, we will go back and re-run the command:
Then, we will need to add an email address associated with the new key pair similar to what we did when creating the gpg key pair above. To accomplish this, use the command:
git-secret tell firstname.lastname@example.org
This email should be the same as the email address you used with your gpg keys.
Now we can start adding files to your new secret repo with this command:
git-secret add filename.ext
We can also add multiple files by simply leaving a space in between the file names like so:
git-secret add file1.ext file2.ext file3.ext file4.ext
Once we have added the files to the secret repo, we can securely encrypt them using this command:
Now that we have secured those files, we can commit our changes. We recommend incorporating the git-secret command into your git-hook config to ensure your changes are appropriately noted.
As a side note, Git hook scripts are useful for recognizing simple problems before they are submitted for a code review. You can run hook scripts on all of your commits to automatically point out smaller issues in your code, such as missing semicolons, trailing whitespace, and debug statements.
To decrypt a file or files, we can use the command:
If you share a repository with other developers and need to add them as a user, we need to import their public gpg key using the command:
gpg --import key.txt
This step is useful for allowing other devs working on a project with you to encrypt and decrypt the files in your repo. Once their key is entered, we can add them to the secrets repository using the command:
git-secret tell email@example.com
This entry will associate the user’s email with the recently imported gpg key. Once this has been completed, those devs now have access to the data in the repo. Then, they will be able to work with the files using their gpg key passphrase, which will encrypt and decrypt the files.
Lastly, we can review the contents of a file using the command:
git secret cat
If the data is encrypted, git-secret/gpg will ask for your passphrase to decrypt the file.
That’s it! You should now have a good working knowledge of git-secret and the many benefits it has to offer. The full documentation for git-secret can be found here.