Git Secrets

Motivation

During my bramble build I wanted to automate as much as possible for creating files / configuring the cluster, but also wanted to make sure I was taking at least some minimum steps to be secure during my setup. Being able to track secure strings (i.e. passwords) within a version control system was the most direct route possible for me. git-secrets is a tool that handles that for me.

The basic idea is that you use personal gpg-keys to encrypt individual secrets, and only allow encrypted secrets and a list of authorized users to be checked into repo. From here as long as the computer you’re trying to read secrets has the other half of the gpg key, you can reveal and use the secrets as needed. There’s a much deeper write up at git-secret.io, if you care to read more.

Setup

git-secret Installation

  1. Install using whatever OS installation instructions are correct for you.

Create a gpg Key Pair

  1. Generate key pair : gpg --gen-key
  2. Export public key : gpg --armor --export email@domain.com > public-key.gpg
  3. Export private key : gpg --armor --export-secret-key email@domain.com > private-key.gpg
  4. Save the key pair in a password manager, or a post-it note - i don’t care.

Initialize within a git repo

  1. Initialize : git-secret-init
  2. Add files : git add .gitsecret

This should add .gitsecret/keys/random_seed to your .gitignore file.

  1. Add yourself as a bearer : git secret tell email@domain.com

Add file(s) for encryption

  1. Add a file for secret tracking : git secret add <file>

This should add the file to your .gitignore also.

  1. Encrypt the file : git secret hide
  2. Add the encrypted file git add <file>.secret

Depending on your git ignore rules, you may need to -f the last git add command.

Decrypt the files for use

  • Decrypt ALL files : git secret reveal -f
  • Decrypt single file : git secret cat <file>

Overall usage

(Currently) I’m primarily using this to automate the creation of files to initialize my rasberry pi cluster. To make this useful my generation scripts starts with, git secret reveal -f and ends with find . -type f ! -name '*.secret' -delete as a way to setup and teardown secrets. I’ve also added all of the generated files to my .gitignore file as a precaution against accidental checkin.

It’s also suggested to use a pre-commit hook on your repo to ensure that un encrypted secrets aren’t accidentally checked into the repo.