LinuxCommandLibrary

git-secret

Encrypt files within a Git repository

TLDR

Initialize git-secret in a local repository

$ git secret init
copy

Grant access to the current Git user's email
$ git secret tell -m
copy

Grant access by email
$ git secret tell [email]
copy

Revoke access by email
$ git secret killperson [email]
copy

List emails with access to secrets
$ git secret whoknows
copy

Register a secret file
$ git secret add [path/to/file]
copy

Encrypt secrets
$ git secret hide
copy

Decrypt secret files
$ git secret reveal
copy

SYNOPSIS

git secret [options]

PARAMETERS

add
    Adds files to the list of secrets managed by git-secret.

hide
    Encrypts all files marked as secrets using GPG.

reveal
    Decrypts the hidden files, only authorized users can perform this action.

init
    Initializes git-secret for the repository.

tell
    Adds users (identified by their GPG key) who are allowed to decrypt secrets.

remove
    Removes files from the list of secrets.

list
    Lists all files currently marked as secrets.

whoknows
    Shows which users are allowed to decrypt secrets.

clean
    Remove temporary files.

version
    Prints the version of git-secret.

DESCRIPTION

git-secret is a Bash script that provides a way to store encrypted files within a Git repository. It leverages GPG (GNU Privacy Guard) for encryption and decryption, ensuring that sensitive data remains protected even if the repository is compromised. The tool allows developers to easily manage secrets like API keys, passwords, and configuration files without exposing them in plain text. git-secret manages the encryption and decryption of files defined as secrets. Decryption is only possible for users added to the keyring. The workflow involves marking files as secrets using `git secret add`, encrypting them with `git secret hide`, and sharing the encrypted repository. Authorized users can then decrypt the files with `git secret reveal` after they have been granted access to the repository's secrets. If they don't have access, they will be blocked from decrypting, thus making it a tool for compliance. This facilitates secure collaboration without needing external secret management systems.

It helps to follow the principle of least privilege. git-secret is helpful for security and compliance.

CAVEATS

Requires GPG to be installed and configured. Users need to have their GPG keys set up correctly. Revoking access requires re-encryption of the secrets. Careful management of GPG keys is crucial for security. Consider backing up your secret keys.

WORKFLOW EXAMPLE

1. `git secret init`: Initialize git-secret in your repository.
2. `git secret tell`: Add users (by GPG key) who should have access to the secrets.
3. `git secret add `: Mark the files you want to encrypt as secrets.
4. `git secret hide`: Encrypt the secret files.
5. Commit and push the encrypted repository.
6. On another machine, after cloning, run `git secret reveal` to decrypt files (if authorized).

SECURITY CONSIDERATIONS

Ensure that GPG keys are properly protected. Avoid committing your private GPG keys to the repository. Regularly rotate GPG keys and re-encrypt secrets for enhanced security. Use strong passphrases for GPG keys.

HISTORY

git-secret was created to address the need for a simple and Git-integrated solution for managing secrets within software development projects. It was originally developed to simplify the process of encrypting and decrypting files directly within a Git repository, making it easier for teams to collaborate on projects that require handling sensitive information. It gained popularity as a lightweight and straightforward alternative to more complex secret management systems, especially for smaller teams and projects where a simple, Git-centric approach is preferred.

SEE ALSO

gpg(1), git(1)

Copied to clipboard