During my bramble build I wanted to automate as much as possible for creating files / configuring the cluster, but also wanted to make sure I was taking at least some minimum steps to be secure during my setup.
Being able to track secure strings (i.e. passwords) within a version control system was the most direct route possible for me.
git-secrets is a tool that handles that for me.
The basic idea is that you use personal
gpg-keys to encrypt individual secrets, and only allow encrypted secrets and a list of authorized users to be checked into repo. From here as long as the computer you’re trying
to read secrets has the other half of the
gpg key, you can reveal and use the secrets as needed. There’s a much deeper write up at git-secret.io, if you care to read more.
- Install using whatever OS installation instructions are correct for you.
gpg Key Pair
- Generate key pair :
- Export public key :
gpg --armor --export firstname.lastname@example.org > public-key.gpg
- Export private key :
gpg --armor --export-secret-key email@example.com > private-key.gpg
- Save the key pair in a password manager, or a post-it note - i don’t care.
Initialize within a
- Initialize :
- Add files :
git add .gitsecret
This should add
- Add yourself as a bearer :
git secret tell firstname.lastname@example.org
Add file(s) for encryption
- Add a file for secret tracking :
git secret add <file>
This should add the file to your
- Encrypt the file :
git secret hide
- Add the encrypted file
git add <file>.secret
Depending on your git ignore rules, you may need to -f the last
Decrypt the files for use
- Decrypt ALL files :
git secret reveal -f
- Decrypt single file :
git secret cat <file>
(Currently) I’m primarily using this to automate the creation of files to initialize my rasberry pi cluster. To make this useful my generation scripts starts with,
git secret reveal -f and ends with
find . -type f ! -name '*.secret' -delete as a way to setup and teardown secrets. I’ve also added all of the generated files to my
.gitignore file as a precaution against accidental checkin.
It’s also suggested to use a
pre-commit hook on your repo to ensure that un encrypted secrets aren’t accidentally checked into the repo.