How to keep your repository’s sensitive data secure using git-secret
Ever needed to upload a file containing a set of credentials or API keys to your organization’s private code repository? You may think “Hmm… this is a private repository, so there is no risk for my files to fall into the wrong hands. Right?”
Unfortunately, this is absolutely not the case. Do you need to protect the sensitive files of your repository? — This is a question that only you can answer.
Today, I will show you a fast and reliable way to encrypt your sensitive files before you push them into your code repository. This method can be applied to any repository and any project, no matter what programming language you use.
How does it work?
The working principle of the method that I am going to demonstrate is that the owner of the file creates a key which uses to encrypt a list of sensitive files. Then, he/she passes the key to another user so that they can utilize it to decrypt the files on their end.
After generating a key, you will be the owner of two keys, a public and a private one. These keys can be used in two main ways:
- User 1 encrypts a file using their public key. User 2 has to decrypt the file using User’s 1 private key. This method is used when two users need to exchange a file securely.
- User 1 encrypts a file using their private key. User 2 can decrypt the file using User’s 1 public key. This method is used when User 2 wants to know if the real owner of the file is User 1.
If you possess a public key, you can share it with other users (either on a public key server, your website, etc.). In this way, they are able to know if an email or a file that they received is actually sent by you.
About the guide
List of OSS encryption utilities:
There are several tools available that we can leverage to get the job done. However, in this tutorial, we are going to use git-secret which IMHO is the easiest to install and use.
NOTICE!!! This guide illustrates how to install and use GPG Suite and git-secret on macOS. The process is similar for other operating systems as long as you have either a GUI or terminal-based application which produces GPG keys.
Generate a GPG Key
To install GPG Suite for macOS, open a web browser and navigate to https://gpgtools.org/ to acquire it.
During the installation, choose which components of GPG Suite you would like to be installed and which not (i.e. GPG Mail integrates with your Mail app: disable it if you do not need this particular functionality). Follow the instructions to finish the installation.
To create a GPG key please:
- Open GPG Keychain
- Press “New”
- On the popup window, fill in a label, your email address and a password for the key. Open the “Advanced Options” menu below and type a comment, choose the length and the expiration of the key.
- Press “Generate Key” and you are good to go.
You can find more information on how to create a GPG key using Terminal on the blog post here.
Encrypt Files using a public key
Afterwards, you will need to download git-secret. The preferred way to do it is using Homebrew (deb, rpm and manual options are available too). Make sure that you have Homebrew installed and then install git-secret by typing on a terminal window the following:
brew --version #Check the current version of Homebrew
brew install git-secret #Install git-secretUsing git-secret to encrypt a file:
- Make sure you have git, gpg and git-secret installed.
- Navigate to the folder which contains your repository on your local machine. If the repo is not yet initialized, type in git init to set it up first.
- Run git secret init to initialize the repository using git-secret. As a result a folder called .gitsecret will appear. Please remember not to exclude this folder when pushing to the repository.
- Execute one of the following commands: either git secret tell -m (to use the default user.email configured by git) or git secret tell key.owner@email.com (using the email address of the key’s owner).
- Run the command git secret whoknows to check if the email address has been added successfully.
- Use git secret add PATH (replacing PATH with the absolute or relative path to the file you would like to encrypt).
- Repeat Step 6 for all the files you’d like to encrypt.
- When the process of defining the list of files for encryption is complete, execute git secret hide to encrypt all the specified files.
Decrypt Files using a private key
To decrypt a file with git-secret first make sure that the user who encrypted the files has shared their private + passcode key pair with you. Install GPG Suite (instructions above) and import their private key into your list of keys selecting the “Import” option at the top of the application. Then:
- Navigate to the repository’s folder on your local machine
- Type git secret reveal to decrypt your files
QUICK TIP: If you already have pushed a file in your repository which contains credentials, this is going to appear on past commits. Thus, any effort of encrypting the file will have no result. Instead what you can do is if, for example, the file contained a set of Database credentials, contact the DBA to drop this particular user and create a new one that you can use. Then, put the new credentials into the file and encrypt it.
Problems:
- git-secret is not able to find the path to my GPG keys (use git secret tell your@email.com -d /PATH/TO/.gnupg folder)
- git-secret shows an error mentioning lack of permissions (change permissions for the ~/.gnupg folder and subfolders)
- When typing git secret tell my@email.com, I am getting a series of errors (try both solutions listed above — if this does not work try to move the folder containing your repository on a different folder like Desktop)
- Trying to add a file using git-secret yields a “these files are not ignored” error. Please add the title of the file you are trying to encrypt inside your .gitignore file.
Useful Resources:
Happy encrypting everybody 😃
