git-secret

Initialize git-secret in a local repository

$ git secret init

$ git secret tell -m

$ git secret tell [email]

$ git secret killperson [email]

$ git secret whoknows

$ git secret add [path/to/file]

$ git secret hide

$ git secret reveal

git secret [options]

add
    Adds files to the list of secrets managed by git-secret.

hide
    Encrypts all files marked as secrets using GPG.

reveal
    Decrypts the hidden files, only authorized users can perform this action.

init
    Initializes git-secret for the repository.

tell
    Adds users (identified by their GPG key) who are allowed to decrypt secrets.

remove
    Removes files from the list of secrets.

list
    Lists all files currently marked as secrets.

whoknows
    Shows which users are allowed to decrypt secrets.

clean
    Remove temporary files.

version
    Prints the version of git-secret.

git-secret is a Bash script that provides a way to store encrypted files within a Git repository. It leverages GPG (GNU Privacy Guard) for encryption and decryption, ensuring that sensitive data remains protected even if the repository is compromised. The tool allows developers to easily manage secrets like API keys, passwords, and configuration files without exposing them in plain text. git-secret manages the encryption and decryption of files defined as secrets. Decryption is only possible for users added to the keyring. The workflow involves marking files as secrets using `git secret add`, encrypting them with `git secret hide`, and sharing the encrypted repository. Authorized users can then decrypt the files with `git secret reveal` after they have been granted access to the repository's secrets. If they don't have access, they will be blocked from decrypting, thus making it a tool for compliance. This facilitates secure collaboration without needing external secret management systems.

It helps to follow the principle of least privilege. git-secret is helpful for security and compliance.

Requires GPG to be installed and configured. Users need to have their GPG keys set up correctly. Revoking access requires re-encryption of the secrets. Careful management of GPG keys is crucial for security. Consider backing up your secret keys.

1. `git secret init`: Initialize git-secret in your repository.
2. `git secret tell`: Add users (by GPG key) who should have access to the secrets.
3. `git secret add `: Mark the files you want to encrypt as secrets.
4. `git secret hide`: Encrypt the secret files.
5. Commit and push the encrypted repository.
6. On another machine, after cloning, run `git secret reveal` to decrypt files (if authorized).

Ensure that GPG keys are properly protected. Avoid committing your private GPG keys to the repository. Regularly rotate GPG keys and re-encrypt secrets for enhanced security. Use strong passphrases for GPG keys.

git-secret was created to address the need for a simple and Git-integrated solution for managing secrets within software development projects. It was originally developed to simplify the process of encrypting and decrypting files directly within a Git repository, making it easier for teams to collaborate on projects that require handling sensitive information. It gained popularity as a lightweight and straightforward alternative to more complex secret management systems, especially for smaller teams and projects where a simple, Git-centric approach is preferred.

gpg(1), git(1)