Created
December 18, 2018 22:04
-
-
Save bobhenkel/4eabdf490d68e1d81d31cb696a87ca95 to your computer and use it in GitHub Desktop.
git-crypt basic usuage
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
https://coderwall.com/p/kucyaw/protect-secret-data-in-git-repo | |
''' | |
We use Ansible to manage our infrastructure, so a lot of configurations are stored in a git repository. Some of this configuration are potential dangerous if made public (like SSL certificate, GPG keys, ...) therefore we prefer to encrypt this data in the git repository. | |
To encode this data we use git-crypt. | |
Install git-crypt | |
Depending on your OS you need to install git-crypt, with homebrew is really simple: | |
brew install git-crypt | |
and after completing download you can run it: | |
$ git-crypt --help | |
And you can read: | |
Usage: git-crypt COMMAND [ARGS ...] | |
Valid commands: | |
init KEYFILE - prepare the current git repo to use git-crypt with this key | |
keygen KEYFILE - generate a git-crypt key in the given file | |
Plumbing commands (not to be used directly): | |
clean KEYFILE | |
smudge KEYFILE | |
diff KEYFILE FILE | |
Init a new repo | |
You need a git repo to start, let's create one and initialize it: | |
mkdir -p ~/ansible/test_crypt | |
cd ~/ansible/test_crypt | |
git init . | |
now we need to inizialize git-crypt in repo, before this we need to create a encrypt key (if you already have a key from other source, like someother that send you file skyp this step): | |
git-crypt keygen ~/ansible/crypt-key | |
this key need to be out of repo (otherwise if a use can clone repo can also decode your file). | |
Now we enable git-crypt on our repo: | |
cd ~/ansible/test_crypt | |
git-crypt init ~/ansible/crypt-key | |
Crypt files | |
We are ready to insert some file and crypt they in our repo. This operation is really easy, we just edit .gitattributes file: | |
vi ~/ansible/test_crypt/.gitattributes | |
and specify what files need to be encoded, eg: | |
*.cert filter=git-crypt diff=git-crypt | |
*.key filter=git-crypt diff=git-crypt | |
*.crt filter=git-crypt diff=git-crypt | |
*.gpg filter=git-crypt diff=git-crypt | |
but we can also encode specific files (eg files with passwords): | |
vars/agavee.com/passwords.yml filter=git-crypt diff=git-crypt | |
Start test | |
Create a simple file in repo and commit it: | |
echo "This is a public file" > README.md | |
echo "my_key" > secret.key | |
git add README.md | |
git add secret.key | |
git add .gitattributes | |
git commit -m "Init repo" | |
# we can also add remote and push on remote | |
We can read content of files: | |
cat README.md | |
cat secret.key | |
but if someone clone our repo? | |
git clone ~/ansible/test_crypt ~/ansible/thief | |
cat ~/ansible/thief/README.md | |
cat ~/ansible/thief/secret.key | |
as you can see user that clone our repo can't read content of secret file, if we supply the key to our firend it can add the key to repo and file content wll be visible: | |
git clone ~/ansible/test_crypt ~/ansible/friend | |
cd ~/ansible/friend | |
git-crypt init ~/ansible/crypt-key | |
cat ~/ansible/friend/README.md | |
cat ~/ansible/friend/secret.key | |
NB: never store crypt key in the same server of you repo! | |
Note | |
git-crypt actually is at version 0.3, there may be backwards-incompatible changes introduced before version 1.0. | |
git-crypt encrypts files using AES-256 in CTR mode with a synthetic IV | |
derived from the SHA-1 HMAC of the file. | |
The AES key is stored unencrypted on disk. The user is responsible for | |
protecting it and ensuring it's safely distributed only to authorized | |
people. | |
There are also plans to add additional key management schemes, such as passphrase-derived | |
keys and keys encrypted with PGP. | |
git-crypt is NOT NOT NOT NOT NOT designed to encrypt an entire repository. | |
Authored by Marco Vito Moscaritolo | |
''' | |
https://starkandwayne.com/blog/secure-your-boshworkspace-with-git-crypt/ | |
Handy but not needed to make gpg key creation and managment easier -> https://gpgtools.org/#gpgsuite |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment