Use git-crypt for secrets

Nov 1, 2020 git git-crypt guyfromit
Share on:

Workflow to safely store secrets in Git repository

It is some time unavoidable to store secrets such as passwords or private-keys in repository. git-crypt is a tool which can be used to achieve this.

I am sharing below how to use git-crypt to safely store secrets.

Assumptions/ Prerequisites

  1. You have git installed in your machine.
  2. You have a repository cloned locally where you want to store encrypted secrets.
  3. You have gpg installed on your machine.

Installing git-crypt

Windows

  1. Install msys2 and g++ for windows, instructions here
  2. Be sure /mingw64/bin is in your path.
  3. Run the following commands
1git clone git@github.com:AGWA/git-crypt # clone git-crypt repo
2cd git-crypt # change directory to the repo folder
3make # To build the exe file

Mac OS X

1brew install git-crypt

Ubuntu

1sudo apt-get update -y
2sudo apt-get install -y git-crypt

Initializing the Git repo with git-crypt

Now you need to initialize the git repo with git-crypt to start encrypting the secrets. On you terminal go inside the repo folder and run following command

1git-crypt init

This generates a symmetric for encrypting your files. This key is stored in location .git/git-crypt/keys/default

Configure files to be encrypted

Now comes the part where you tell git-crypt which files it need to encrypt. For this information git-crypt relies on .gitattributes file at the root of the repository. Find below an example file.

1Folder1/* filter=git-crypt diff=git-crypt
2Folder2/abcd.secret filter=git-crypt diff=git-crypt
3foo/bar/* filter=git-crypt diff=git-crypt
4*.key filter=git-crypt diff=git-crypt
5.gitattributes !filter !diff

Checking status and committing and pushing the repo

Once you have created the .gitattributes file, check the status of your repo by running the below command at repo's root.

1git-crypt status

It should list down all the files encryption status. Verify if every required files is encrypted. Now make a git commit. To be 100% sure run the git-crypt status command again after committing and verify if the required files are encrypted. Now you can safely push your changes.

Generating gpg key

In case you are not initializing git-crypt in repository but want to use an already initialized repo, you will need to share your gpg public key with colleague who can add to your key to the repo. Use the below mentioned command to generate gpg key.

1gpg --generate-key

You will be asked for information like your name, email id, passphrase(Keep a strong passphrase).

Sharing gpg key

Once you have generated your gpg key successfully. Now you will need to share your public key. I am going to share the option that does not need use of server. List your gpg key.

1gpg --list-keys

The output will look some thing like this

1pub   rsa4096 2019-08-09 [SC]
2      CF340A1096E6902CD20C0885EFEB3C59F14B7F30
3uid           [ultimate] saurabh kumar agrawal <saurabh_kumar.agrawal1@mail.schwarz>

Copy the public key (the long hexa decimal value) and use it in the below command

1gpg --armor --export --output /path/youwanttosave/my_pubkey.gpg CF340A1096E6902CD20C0885EFEB3C59F14B7F30

Above command will export your public key to the file (which you mentioned in the command) which you can than share with your colleagues.

Importing the gpg key

If you are going to add gpg key (shared by your teammate) to the repo, you will first need to import the gpg key to your own list. use the below command

1gpg --import user_pubkey.gpg

Once you have executed the above command than you can use the gpg --list-keys to verify if the imported key appears in your keyring. Now that you have imported the key, you will need to upgrade the "trust" level of key.

1gpg ––edit–key CF340A1096E6902CD20C0885EFEB3C59F14B7F30

This will open a gpg prompt gpg>. Enter trust and than 5 for highest level trust. Type y and press entre if confirmation is asked. Than type save to save the changes and quit to exit the edit mode.

Adding the user

Once the gpg key has been trusted, you can add it to the repo by using this command.

1git-crypt add-gpg-user --trusted CF340A1096E6902CD20C0885EFEB3C59F14B7F30

This command will create an autocommit with the new user's key added to the repository. Push the changes to the remote repo.

Unlocking git repo

Once the user's key has been added and pushed, he/ she can pull the repository and run the following command to view the encrypted content.

1git-crypt unlock #provide passphrase used when creating the gpg key.

Now you have a simple and secured way to put secrets in your repository.