git-crypt
git-crypt is an extension to the Git Source code management software (Private) that allows securing secrets stored in versioned files. It's useful in operations teams for storing bootstrapping credentials.
Installation
Linux users, use a package manager.
On macOS:
brew install git-crypt
Initialising a repository
First, generate a key:
git-crypt init
Then list the files you'd like encrypted in the .gitattributes
file:
*.secure.tfvars filter=git-crypt diff=git-crypt
Note the filter
effect, which configures git-crypt's clean and smudge commands to be executed on checkin and checkout.
Checking file status
Ensure that files are in the expected state:
$ git-crypt status
not encrypted: README.md
encrypted: user.secure.tfvars
Adding contributors
First, the key must exist in the GPG trust DB; see importing instructions in gnupg (Private).
To add a key:
git-crypt add-gpg-user 'Name <email>'
You can also use just an email address, or a key ID. This will commit the key under /.git-crypt/keys
for later authentication.
Unlocking repositories
git-crypt supports unlocking both with a symmetric key or with GPG keys.
After checking in the changed files and pushing them, have the user on the other end fetch
, then try unlocking:
git-crypt unlock
The symmetric key can be exported from an unlocked repository:
git-crypt export-key out.key.bin
Then used on locked copy:
git-crypt unlock out.key.bin
Automating
In continuous delivery settings it'll be necessary to automate unlocking the repository to read the contents of encrypted files. To achieve this, you'll need to generate a keypair and make it available to the automation pipeline in some secure way, e.g. via a "secret" environment variable. As many mechanisms will corrupt the contents (e.g. by stripping newlines), base64 encoding the keys can be useful.
Assuming the keys are made accessible as environment variables:
# Decode the PGP secret key (encoded in base64 in the secret variables to
# preserve special characters, like newlines), import it into the GnuPG
# keyring and delete it from the filesystem to minimise risk of compromise.
# Install git-crypt, and unlock the repository.
base64 -d <<<"$GIT_CRYPT_PGPKEY_PUBLIC" >public.key
base64 -d <<<"$GIT_CRYPT_PGPKEY_PRIVATE" >private.key
gpg --import public.key
gpg --import private.key
rm -f public.key private.key
sudo apt-get install -y git-crypt
git-crypt unlock