LinuxCommandLibrary

git-secret

Encrypt files within a Git repository

TLDR

Initialize git-secret in a local repository

$ git secret init
copy

Grant access to the current Git user's email
$ git secret tell -m
copy

Grant access by email
$ git secret tell [email]
copy

Revoke access by email
$ git secret killperson [email]
copy

List emails with access to secrets
$ git secret whoknows
copy

Register a secret file
$ git secret add [path/to/file]
copy

Encrypt secrets
$ git secret hide
copy

Decrypt secret files
$ git secret reveal
copy

SYNOPSIS

git-secret [-v] [-e EDITOR] <command> [<args>]

PARAMETERS

-v, --verbose
    Enable verbose output

-e EDITOR, --editor EDITOR
    Set custom editor for 'usage' command

-h, --help
    Display help information

init [GPG_KEY_ID]
    Initialize .gitsecret/ directory and set GPG key

add [-m] <files>
    Copy files to .gitsecret/ (-m for message)

hide
    Encrypt all files in .gitsecret/

reveal [-f]
    Decrypt files from .gitsecret/ (-f force)

list
    List tracked secret files

remove <files>
    Stop tracking files (keeps decrypted)

clean
    Remove decrypted files outside .gitsecret/

usage
    Edit git-secret dotfiles

change-pass
    Change GPG passphrase for all secrets

limbo
    List files in limbo (added but not hidden)

kill <files>
    Remove files from limbo

alias
    Create shell aliases for git-secret

version
    Print git-secret version

DESCRIPTION

git-secret is a bash tool for managing private configuration files (secrets) within a Git repository. It leverages GPG symmetric encryption to protect sensitive data like API keys, passwords, or deployment configs, ensuring they remain encrypted in the repository while being usable locally.

Workflow: Initialize with git secret init, designating a GPG key ID. Add files via git secret add file.txt, which copies them to .gitsecret/. Use git secret hide to encrypt all files in .gitsecret/ (producing .gitsecret/file.txt.secret for Git commit). Decrypt with git secret reveal. Supports team collaboration by sharing GPG public keys.

Key features include automatic decryption on clone (if authorized), limbo for accidental adds, and alias creation for convenience. It integrates seamlessly with Git, avoiding plaintext commits. Ideal for open-source projects with private parts or CI/CD pipelines needing secrets.

CAVEATS

Requires GPG 2.0+ with agent; master key exposed in repo metadata; use subkeys for safety. Not suitable for ultra-sensitive data without air-gapped practices. Clone requires gpg --import of team keys.

INSTALLATION

Linux: apt install git-secret or dnf install git-secret. macOS: brew install git-secret. Source: curl scripts/install.sh | bash.

QUICK START

git secret init mygpgkey@ex.com
git secret add .env
git secret hide
git add .gitsecret/* && git commit -m 'add secrets'
git secret reveal

HISTORY

Created by Vladimir Starkov (Sobolevn) in 2016 as an alternative to git-crypt. Hosted on GitHub (sobolevn/git-secret), now with 20+ contributors, 7k+ stars. Supports Linux/macOS/Windows via WSL. Latest v0.4.x as of 2023.

SEE ALSO

git(1), gpg(1), gpg-agent(1), git-crypt(1)

Copied to clipboard