Secure your credentials using git-crypt
It has been well established fact that we should not store the sensitive information such as AWS Access keys, Credentials and SSH Private keys in the repository even if it is a private repository.
There are tools (like git-secrets, talisman) which can scan your repo and report for any sensitive information even before you push your code.
Said that there are lot of convenience for smaller projects to store the credentials along with the source code. Many things would become much simpler like Project Setup, Avoiding additional services like Hashicorp Vault, Ansible Vault, AWS Parameter store etc to manage secrets.
In this post we will see about the tool git-crypt and how it helps in encrypting the sensitive information, even if it is part of the source code.
Git Crypt
As mentioned in its description, it provides transparent encryption and decryption of the sensitive information.
How to setup git-crypt and repository to use it?
Go to the project repository and init the git crypt,
brew install git-crypt
git-crypt init
What are the sensitive files ?
Git crypt identifies the sensitive files using this file .gitattributes. Create the file with the following contents,
secrets/* filter=git-crypt diff=git-crypt
This means all the files under the folder secrets/ are sensitive information and must be encrypted.
How to encrypt / decrypt the secrets ?
This is a seamless process. If you do git push then all the contents would be encrypted. If you specifically want to encrypt (lock) / decrypt (unlock) you can use these commands,
git-crypt lock
git-crypt unlock <secret-file-to-unlock>
If its in lock mode then all the sensitive files would be encrypted like below,
How to give permission to fellow developers ?
There are two ways in giving access to sensitive information. Using symmetric key or using the developers gpg key.
Symmetric Key
First we will create the symmetric key(and lets name it as secret-file-to-unlock) using the command,
git-crypt export-key secret-file-to-unlock
Then share the symmetric key with the developers securely using gpg or any other means. Once they got this file they can unlock the secrets, make modification, and lock it again.
Remember to git ignore the file (secret-file-to-unlock) to prevent accidentally committing this file to git repo.
This approach is similar to Ansible Vault and other techniques where we will use the master key file and encrypt all the secrets using this single master key file.
Much simpler to use, but securing this master key file and sharing it with others will be the problem here.
GPG Keys
In this mechanism, we will be adding each developer to the repo using their gpg keys. Only these users can be able to decrypt the credentials. To Generate the gpg keys,
gpg — full-generate-key
gpg — list-keys — keyid-format LONG #Note the KEYID which is the value after pub rsa2048/<KeyID>
gpg — export -a “Your Name”> public.key
Share the public key and the Key ID with the repository admin and he can import your gpg key into his keychain and add you to the git-crypt,
gpg — import public.key
git-crypt add-gpg-user — trusted <KEY-ID>
This method would be little bit difficult but it would be more secure.
You can check the list of files which are encrypted using the command,
git-crypt status -e
Hope this post helps in maintaining your credentials securely in Git repository.
Francium Tech is a technology company laser focused on delivering top quality software of scale at extreme speeds. Numbers and Size of the data don’t scare us. If you have any requirements or want a free health check of your systems or architecture, feel free to shoot an email to contact@francium.tech, we will get in touch with you!
