git-secret
Encrypt files within a Git repository
TLDR
Initialize git-secret in a local repository
Grant access to the current Git user's email
Grant access by email
Revoke access by email
List emails with access to secrets
Register a secret file
Encrypt secrets
Decrypt secret files
SYNOPSIS
git secret
PARAMETERS
add
Adds files to the list of secrets managed by git-secret.
hide
Encrypts all files marked as secrets using GPG.
reveal
Decrypts the hidden files, only authorized users can perform this action.
init
Initializes git-secret for the repository.
tell
Adds users (identified by their GPG key) who are allowed to decrypt secrets.
remove
Removes files from the list of secrets.
list
Lists all files currently marked as secrets.
whoknows
Shows which users are allowed to decrypt secrets.
clean
Remove temporary files.
version
Prints the version of git-secret.
DESCRIPTION
git-secret is a Bash script that provides a way to store encrypted files within a Git repository. It leverages GPG (GNU Privacy Guard) for encryption and decryption, ensuring that sensitive data remains protected even if the repository is compromised. The tool allows developers to easily manage secrets like API keys, passwords, and configuration files without exposing them in plain text. git-secret manages the encryption and decryption of files defined as secrets. Decryption is only possible for users added to the keyring. The workflow involves marking files as secrets using `git secret add`, encrypting them with `git secret hide`, and sharing the encrypted repository. Authorized users can then decrypt the files with `git secret reveal` after they have been granted access to the repository's secrets. If they don't have access, they will be blocked from decrypting, thus making it a tool for compliance. This facilitates secure collaboration without needing external secret management systems.
It helps to follow the principle of least privilege. git-secret is helpful for security and compliance.
CAVEATS
Requires GPG to be installed and configured. Users need to have their GPG keys set up correctly. Revoking access requires re-encryption of the secrets. Careful management of GPG keys is crucial for security. Consider backing up your secret keys.
WORKFLOW EXAMPLE
1. `git secret init`: Initialize git-secret in your repository.
2. `git secret tell`: Add users (by GPG key) who should have access to the secrets.
3. `git secret add
4. `git secret hide`: Encrypt the secret files.
5. Commit and push the encrypted repository.
6. On another machine, after cloning, run `git secret reveal` to decrypt files (if authorized).
SECURITY CONSIDERATIONS
Ensure that GPG keys are properly protected. Avoid committing your private GPG keys to the repository. Regularly rotate GPG keys and re-encrypt secrets for enhanced security. Use strong passphrases for GPG keys.
HISTORY
git-secret was created to address the need for a simple and Git-integrated solution for managing secrets within software development projects. It was originally developed to simplify the process of encrypting and decrypting files directly within a Git repository, making it easier for teams to collaborate on projects that require handling sensitive information. It gained popularity as a lightweight and straightforward alternative to more complex secret management systems, especially for smaller teams and projects where a simple, Git-centric approach is preferred.