Store credentials or secret information in git repository in encrypted form.
Few days back I was browsing through a user's github repository and suddenly I found some secret information on the repository which was not supposed to be there. But if it is really required to store credentials in the repository there are ways to store them in encrypted form. So how to store credentials or secret information in a git repository in a secure way so that others can not read it.
git-crypt can be used to solve this problem. Only you will be able to unlock your secret files or someone whom you grant access.
apt install git-crypt
On Centos
yum install git-crypt
git-crypt init
git-crypt add-gpg-user <gpg key id or email>
touch .gitattributes
So we need to create a .gitattributes file and in this file we need to specify the extension of the files which are to be encrypted. gitattributes file uses wildcard to match file names. Make sure that you do not encrypt the .gitattributes file itself, if you do so you won't be able to decrypt your repo. Make sure your .gitattributes rules are in place before you add sensitive files, or those files won't be encrypted. You can create .gitattributes file directly using step 5.
Add below entrie to the .gitattributes file ( modify extension and file path according to your requirement)
*.key filter=git-crypt diff=git-crypt
*.pem filter=git-crypt diff=git-crypt
.gitattributes !filter !diff
That's all, now you can add files and all the files with .key, .pem extension will be encrypted in that same directory or in its sub directories. Last entry makes sure that we do not encrypt the .gitattributes file itself. Now we can add secret files in our repository.
echo "Repository is unlocked" > test.pem
Push all your changes on remote server.
git add .
git push
git-crypt lock
To lock the repo run the following command:
git-crypt unlock
(A password prompt will be shown, you need to enter passphrase for gpg key)
Few things to take care while using git-crypt :
1 Do not add files before putting their entries in .gitattributes file.
2 For giving access to multiple users, import their public gpg key and add it to the repo using step 3 and push the changes.
3 Don't forget to add and commit the changes before locking the repository.
4 Don't encrypt .gitattributes file, if you do so you won't be ablt to unlock your repo.
All commands in one go :
apt install git-crypt
cd REPO_NAME
git-crypt init
git-crypt add-gpg-user <gpg key id or email>
echo "*.pem filter=git-crypt diff=git-crypt" >> .gitattributes
echo "Repository is unlocked" > test.pem
git add .
git commit -m "Adding .gitattributes and test.pem file"
cat test.pem
git-crypt lock
cat test.pem
git push
git-crypt can be used to solve this problem. Only you will be able to unlock your secret files or someone whom you grant access.
Steps for using git-crypt to store secret information:
Step 1: Install git-crypt
On Ubuntu Systemapt install git-crypt
On Centos
yum install git-crypt
Step 2: Initialize repository with git-crypt
Now when the git crypt is installed, create a git repository or if you have one you can skip this step. Go to the git repository and initialize it with git-crypt.git-crypt init
Step 3: Add gpg keys to the repo
Go to git repo and run the below command.git-crypt add-gpg-user <gpg key id or email>
Step 4: Create .gitattributes file
git-crypt uses .gitattributes file to read which files are to be encrypted.touch .gitattributes
So we need to create a .gitattributes file and in this file we need to specify the extension of the files which are to be encrypted. gitattributes file uses wildcard to match file names. Make sure that you do not encrypt the .gitattributes file itself, if you do so you won't be able to decrypt your repo. Make sure your .gitattributes rules are in place before you add sensitive files, or those files won't be encrypted. You can create .gitattributes file directly using step 5.
Step 5: Put entry for encrypted files in .gitattributes file
vim .gitattributesAdd below entrie to the .gitattributes file ( modify extension and file path according to your requirement)
*.key filter=git-crypt diff=git-crypt
*.pem filter=git-crypt diff=git-crypt
.gitattributes !filter !diff
That's all, now you can add files and all the files with .key, .pem extension will be encrypted in that same directory or in its sub directories. Last entry makes sure that we do not encrypt the .gitattributes file itself. Now we can add secret files in our repository.
Step 6: Create a test.pem file to test whether the repository is locked or not.
test.pem can be used to check whether the repository is locked or not.echo "Repository is unlocked" > test.pem
Step 7: Add, commit and push the changes.
Note: In order to lock your repository you need to commit .gitattributes and test.pem file, without committing the changes you won't be able to lock and unlock the repository.Push all your changes on remote server.
git add .
git push
Step 8: Locking and Unlocking the repository.
To lock the repo run the following command:git-crypt lock
To lock the repo run the following command:
git-crypt unlock
(A password prompt will be shown, you need to enter passphrase for gpg key)
Few things to take care while using git-crypt :
1 Do not add files before putting their entries in .gitattributes file.
2 For giving access to multiple users, import their public gpg key and add it to the repo using step 3 and push the changes.
3 Don't forget to add and commit the changes before locking the repository.
4 Don't encrypt .gitattributes file, if you do so you won't be ablt to unlock your repo.
All commands in one go :
apt install git-crypt
cd REPO_NAME
git-crypt init
git-crypt add-gpg-user <gpg key id or email>
echo "*.pem filter=git-crypt diff=git-crypt" >> .gitattributes
echo "Repository is unlocked" > test.pem
git add .
git commit -m "Adding .gitattributes and test.pem file"
cat test.pem
git-crypt lock
cat test.pem
git push
 |
| Output of all the above commands |
Comments
Post a Comment